critical
suspicious.dynamic_code_execution
- Location
- scripts/test-v2.3.sh:70
- Finding
- Dynamic code execution detected.
Agent Passport
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The agent may pause or refuse actions until a mandate exists.
Why it was flagged
The skill deliberately adds a mandatory tool-check and stop/ask workflow before sensitive side-effect actions. This is central to its purpose and protective, but it does alter the agent's normal decision flow.
Skill content
Before performing ANY of these actions, you MUST call `check-action` first
Recommendation
Install only if you want this consent-check workflow, and review the mandate prompts before approving them.
What this means
A broad mandate could let the agent run many commands without asking again until the mandate expires or is revoked.
Why it was flagged
The skill includes user-selectable templates that can authorize broad system activity for a period of time. This is disclosed and time-limited, but it is high-impact if approved casually.
Skill content
`full-auto` - `system`, allowlist `all`, rate 200/hour, TTL 1d
Recommendation
Prefer narrow templates and path/domain/command allowlists; avoid `full-auto` unless you fully trust the agent and task.
What this means
If Pro updates are enabled, the skill may contact the provider and update local security definitions in the background.
Why it was flagged
Remote threat-definition updates are disclosed and fit the scanner purpose, but they can change scanner behavior without per-update review.
Skill content
Pro tier ($19/mo): Definitions auto-update every 6 hours silently in the background.
Recommendation
Use the offline/free mode if you do not want background updates, and only enable Pro updates from a provider you trust.
What this means
The local ledger may contain sensitive action descriptions, recipients, spending amounts, or agent identity details.
Why it was flagged
Mandates, agent identity metadata, and action audit history are persisted locally and can influence future authorization checks.
Skill content
LEDGER_FILE="$LEDGER_DIR/mandates.json"; KYA_FILE="$LEDGER_DIR/agents.json"; AUDIT_FILE="$LEDGER_DIR/audit.json"
Recommendation
Store the ledger in a protected directory, review audit contents periodically, and delete or archive it carefully if it contains sensitive records.
What this means
The skill is mainly a side-effect gate; it does not by itself prevent the agent from reading sensitive local files or web content.
Why it was flagged
The marketing language is broad, while the operational rules explicitly exclude read-only actions. The limitation is disclosed, but users should not assume it protects all sensitive reads.
Skill content
Consent-gating for ALL sensitive agent actions... You do NOT need to check: reading files, web searches, internal reasoning
Recommendation
Use separate file-access controls or narrower agent permissions for confidential data, especially if read access is sensitive.