critical
suspicious.env_credential_access
- Location
- scripts/server.mjs:72
- Finding
- Environment variable access combined with network send.
Markdown Editor With Chat
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A crafted local request could potentially list, read, or save markdown files outside the folder the user intended to expose.
Why it was flagged
The filesystem boundary is enforced with a raw string-prefix check. A sibling directory whose path starts with the same prefix as MARKDOWN_DIR can pass this style of check, weakening the advertised path-traversal protection.
Skill content
const resolved = path.resolve(MARKDOWN_DIR, requestedPath); if (!resolved.startsWith(path.resolve(MARKDOWN_DIR))) { return null; }Recommendation
Fix safePath to compare canonical paths with path.relative and reject absolute paths, '..' traversal, and separator-confused prefixes. Until fixed, use a dedicated non-sensitive MARKDOWN_DIR and keep the server bound to 127.0.0.1.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If chat is enabled, anyone who can reach the local server's chat endpoint may be able to make gateway-backed chat requests through the configured token.
Why it was flagged
The skill reads an OpenClaw gateway token from the environment and uses it as a Bearer token for chat requests. This is disclosed and purpose-aligned, but it is still delegated account/service authority.
Skill content
const GATEWAY_TOKEN = process.env.OPENCLAW_GATEWAY_TOKEN || ''; ... 'Authorization': `Bearer ${GATEWAY_TOKEN}`Recommendation
Use a limited gateway token, keep the server on localhost unless you intentionally trust the network, and unset the token when chat is not needed.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Text you send to the chat panel, and any document content you paste into it, may be processed by the configured gateway.
Why it was flagged
Chat messages are proxied to the configured OpenClaw gateway. This is expected for the optional chat feature, but it means chat content leaves the editor process and is sent to that gateway.
Skill content
body: JSON.stringify({ model: 'default', messages, stream: false })Recommendation
Only configure a trusted gateway URL and avoid sending sensitive markdown content unless that gateway is appropriate for it.