Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
review-manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This review-management skill is mostly purpose-aligned, but it builds shell commands from external review text and also suggests under-scoped reuse of logged-in browser cookies.
Install only if you are comfortable reviewing and fixing the shell-command construction first. Use preview mode for replies, keep Discord alerts in a private channel, and do not allow browser cookie/session reuse unless you explicitly approve the account and scope.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI05: Unexpected Code Execution
High
What this means
A malicious or malformed review could potentially cause local shell commands to run when alerts or reports are sent.
Why it was flagged
The shell command includes alert text built from review fields such as review.content. Only double quotes are escaped, so shell metacharacters such as command substitution may still be interpreted.
Skill content
const cmd = `openclaw message send --channel discord --target "${channelId}" --message "${message.replace(/\"/g, '\\\"')}"`; execSync(cmd, { encoding: 'utf-8' });Recommendation
Replace execSync shell strings with spawn/execFile argument arrays or a safe messaging API, and validate or encode all review-derived text before sending.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
The agent could be guided toward using an existing logged-in session, which may expose or act with more account authority than the user intended.
Why it was flagged
The documentation suggests acquiring and reusing browser cookies for a logged-in platform, but the metadata declares no credentials and the artifacts do not define cookie scope, retention, account boundaries, or approval requirements.
Skill content
배민 로그인 필요 | browser tool로 쿠키 획득 후 재사용
Recommendation
Require explicit user approval for any logged-in browser/session use, prefer dedicated least-privilege accounts, and document exactly which cookies or sessions are used and where they are stored.
#
ASI07: Insecure Inter-Agent Communication
Low
What this means
Customer review text, which may include personal or sensitive details, can be posted into Discord.
Why it was flagged
Negative review contents are intentionally included in Discord alert messages sent to a configured channel.
Skill content
`> ${review.content}\n` ... sendDiscordAlert(config.alert.discordChannelId, message);Recommendation
Use a private, access-controlled Discord channel and avoid sending sensitive customer details unless necessary.
#
ASI10: Rogue Agents
Low
What this means
If configured, the skill may run on a schedule and send alerts without a new manual command each time.
Why it was flagged
The skill documents optional periodic execution for monitoring, but the artifact shows it as a user-added example rather than hidden self-persistence.
Skill content
cron 등록 예시 (매 시간 체크): 0 * * * * cd ~/.openclaw/workspace/skills/review-manager && node scripts/check-negative.js
Recommendation
Only add the cron/heartbeat entry if continuous monitoring is desired, and review scheduled tasks periodically.