Pipedream Connect

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernMedium Confidence

ASI02: Tool Misuse and Exploitation

What this means

If an unsafe identifier reaches this command, it could run unintended local shell commands under the user's account when schema listing is triggered.

Why it was flagged

The reference backend runs a shell command with an interpolated serverName. Other artifacts describe server names as including externalUserId and appSlug, which can be user-configured, so this pattern needs strict validation or non-shell execution.

Skill content

const result = execSync(`mcporter list ${serverName} --schema --json 2>/dev/null`, {

Recommendation

Use execFile/spawn with an argument array, remove shell redirection, and validate externalUserId/appSlug/serverName against a strict safe-character allowlist before any local command use.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Connected agents may be able to read or change data in the apps you authorize, depending on the app scopes and available MCP tools.

Why it was flagged

The skill is expected to use Pipedream credentials and connected-account tokens, but those tokens grant delegated access to third-party apps and are persisted in tool configuration.

Skill content

OAuth access tokens may appear in mcporter Authorization headers and should be treated as sensitive short-lived credentials

Recommendation

Connect only the apps and scopes each agent needs, use separate per-agent external user IDs, review mcporter.json permissions, and disconnect apps when no longer needed.

NoteHigh Confidence

ASI10: Rogue Agents

What this means

If enabled, the refresh job can continue running and modifying token/config state after the initial setup session.

Why it was flagged

The cron-based token refresher is disclosed and user-directed, but it is persistent background behavior.

Skill content

optional token-refresh cron jobs persist until removed

Recommendation

Enable the cron job only if needed, review the generated crontab entry, and document how to remove it.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

It is harder to independently verify that the bundled reference code and scripts match an official Pipedream/OpenClaw implementation.

Why it was flagged

The skill handles credentials and bundles scripts/reference code, but the provided registry metadata does not identify a source repository or homepage.

Skill content

Source: unknown; Homepage: none

Recommendation

Install only if you trust the publisher, compare the reference files against a known OpenClaw source, and prefer releases with clear provenance.

Findings (6)

critical

suspicious.dangerous_exec

Location: reference/pipedream-backend.ts:980
Finding: Shell command execution detected (child_process).

critical

suspicious.env_credential_access

Location: reference/pipedream-backend.ts:974
Finding: Environment variable access combined with network send.

critical

suspicious.exposed_secret_literal

Location: reference/pipedream-backend.ts:10
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: reference/pipedream-controller.ts:98
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: scripts/pipedream-token-refresh.py:117
Finding: File appears to expose a hardcoded API secret or token.

warn

suspicious.potential_exfiltration

Location: reference/pipedream-backend.ts:225
Finding: Sensitive-looking file read is paired with a network send.