BaoziClaw
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: baozi-claw Version: 1.0.0 The skill bundle contains a critical shell injection vulnerability in the root `index.ts` and the `SKILL.md` documentation. The implementation uses `child_process.exec` to invoke an external MCP server (`@baozi.bet/mcp-server`) by interpolating user-controlled arguments directly into a shell command string via `JSON.stringify`. While the behavior aligns with the stated purpose of providing Solana prediction market tools, the lack of sanitization allows for arbitrary command execution (RCE) if an attacker provides crafted input to the tools. No evidence of intentional malice or data exfiltration was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted market ID, query, or other argument could cause the local machine to run unintended commands instead of only calling Baozi.
Tool arguments are interpolated into a shell command and executed with exec; user-controlled strings can break shell quoting or alter the command.
const command = `npx -y @baozi.bet/mcp-server --tool ${toolName} --args '${JSON.stringify(args)}'`; ... await execAsync(command);Replace shell-string execution with execFile/spawn and an argument array, strictly validate all tool inputs, and require explicit user approval before any financial action.
Crypto and betting operations depend on external package behavior that may change or be fetched dynamically.
The skill runs an external npm package dynamically at tool-call time, while the registry declares no install spec or required binary; this leaves important runtime code outside the reviewed skill boundary.
npx -y @baozi.bet/mcp-server
Pin and vendor or explicitly declare the dependency, avoid npx runtime installs, and document the exact trusted package/version used.
If granted wallet authority, the skill could initiate or prepare actions that spend SOL or change account-linked market state without clearly documented safeguards.
These are wallet/account actions that can affect funds or market state, but the artifacts do not define credential source, signing flow, spending limits, or required user confirmation.
- **Betting**: Place SOL bets on boolean or race outcomes - **Winnings Claim**: Auto-claim resolved market payouts - **Market Creation**: Create new Lab markets (creator profile required)
Use only an isolated wallet, require manual transaction review/signing, set explicit spending limits, and declare all wallet/profile credential requirements.
Users may not be able to tell what capability they are really installing or reviewing, which is especially risky for a financial skill.
A packaged SKILL.md is still a placeholder, while the top-level description claims a complete prediction-market skill; other files also disagree about which tools are actually shipped.
Describe what your skill does here. ... ### example-tool ... Describe what this tool does.
Publish one consistent SKILL.md and entrypoint, remove placeholder/developer instructions, and ensure the packaged code matches the advertised tools.