Auto Free Banana

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s Google Flow automation is purpose-related, but it handles Google session tokens/cookies and leaves a CDP-controlled Chrome profile running in ways users should review carefully.

Only install if you are comfortable letting the skill automate a logged-in Google Flow browser session. Use a dedicated Chrome/Google profile, confirm the consent prompt is actually performed, protect or delete the stored cookies.json when done, close the remote-debugging Chrome instance after use, and prefer installing Bun directly instead of relying on npx at runtime.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

High

What this means

The skill can use and retain reusable Google Flow session credentials for the logged-in account.

Why it was flagged

The skill uses cached Google Flow cookies to obtain an OAuth access token and persists refreshed auth material, while the registry metadata declares no primary credential.

Skill content

const refreshed = await refresh_token_via_session(cached.cookies, verbose); ... await write_cookie_file(refreshed, cached.cookies, resolveFlowWebCookiePath(), 'refresh')

Recommendation

Use a dedicated Chrome/Google profile, treat the cookie file as sensitive, and require the publisher to declare the Google session credential and storage behavior clearly.

#ASI10: Rogue Agents

Medium

What this means

An authenticated browser profile and debugging port may remain available locally after image generation finishes.

Why it was flagged

Chrome is launched with a remote debugging port and a persistent profile, then detached from the parent process, so it may continue running after the skill task.

Skill content

`--remote-debugging-port=${get_cdp_port()}`, `--user-data-dir=${userDataDir}` ... const child = spawn(cmdExe, args, { detached: true, stdio: 'ignore' }); child.unref();

Recommendation

Close the launched Chrome instance after use, use a dedicated profile, and prefer code that records and terminates the spawned process or provides a clear cleanup command.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

If the script is invoked directly or the agent skips the markdown workflow, credential/session access can begin without the documented consent prompt.

Why it was flagged

The entry point starts authentication and normal generation through client.init(); the consent workflow described in SKILL.md is not enforced in this executable before those calls.

Skill content

if (args.login) { process.env.FLOW_WEB_LOGIN = '1'; await client.init(); ... } ... await client.init();

Recommendation

Implement the consent-file check in the script itself, not only in instructions, before any login, token extraction, or generation action.

#ASI05: Unexpected Code Execution

Low

What this means

A malformed or attacker-controlled local environment value could potentially change the shell command that runs.

Why it was flagged

An environment-derived Windows path is interpolated into a shell command rather than passed as an argument array.

Skill content

return execSync(`wslpath -u "${rawWindowsPath}"`, { encoding: 'utf-8', timeout: 5000 }).trim() || null;

Recommendation

Replace execSync string interpolation with execFileSync or spawn using an argument array.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The first run may depend on a package fetched through the local npm/npx toolchain.

Why it was flagged

If Bun is not installed, the documented fallback executes Bun via npx at runtime rather than relying only on a preinstalled, pinned binary.

Skill content

${BUN_X} = `bun` if installed, else `npx -y bun`

Recommendation

Install Bun from a trusted source before use, or require a pinned/runtime-managed dependency path.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

While expected for UI automation, any local process that can reach the debugging port may be able to interact with that browser profile.

Why it was flagged

The skill communicates with a localhost Chrome DevTools Protocol endpoint that controls an authenticated browser profile.

Skill content

fetch_with_timeout(`http://127.0.0.1:${port}/json/version`, { timeout_ms: 5_000 }); ... CdpConnection.connect(wsUrl, 15_000)

Recommendation

Keep the debug port local, use a dedicated profile and nondefault port where possible, and close the debugging browser when finished.