Tool Enhancement
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: tool-enhancement Version: 1.0.5 The bundle provides a suite of high-privilege administrative tools including arbitrary shell execution (shell_exec), privilege escalation (shell_sudo), and full filesystem manipulation (file_write, file_delete). While these capabilities align with the stated purpose of 'Tool Enhancement,' the security guardrails are minimal; for example, the 'dangerous command' filter in exec_tools.py is easily bypassed. The inclusion of a tool that accepts plaintext sudo passwords and broad network request capabilities (http_request, api_request) creates a significant attack surface for RCE and data exfiltration if the agent is targeted by prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, manipulated, or overly broad instruction could run harmful local commands or expose local data.
The shell tool executes an arbitrary command string through a shell and only blocks a very small list of dangerous patterns, leaving broad command execution available to the agent.
dangerous = ["rm -rf /", "mkfs", "dd if=/dev/zero", ":(){:|:&};:"] ... process = await asyncio.create_subprocess_shell(command, ...)Require explicit confirmation for shell execution, prefer allowlisted commands, restrict working directories, avoid shell=True-style execution where possible, and log every command before running it.
An accidental Git action could commit more than the user intended, and a subsequent push could affect a shared repository.
The Git commit tool stages all repository changes by default, which can capture unintended files or secrets and later propagate if pushed.
"all": {"type": "boolean", "default": True, "description": "提交所有修改"} ... "git", "-C", str(repo_path), "add", "-A"Default to explicit file selection, require a diff review before commit, and require a separate confirmation before push.
The skill could change the local system or remote repositories using the user's existing authority.
The documented tools can use elevated local privileges and existing Git remote credentials, but the metadata declares no primary credential or clear privilege boundary.
`shell_sudo` | 提权执行 | `command="apt update"` ... `git_push` | 推送到远程 | `path="."`
Only allow sudo and Git push after explicit user approval, show the exact command/repository/remote, and avoid granting autonomous access to privileged operations.
If an attacker or untrusted input can influence the expression, it may execute arbitrary Python code.
The static scan found direct eval of an expression, and the inline comment acknowledges that a safer parser should be used for production.
result = eval(expression) # 注意:生产环境应该用 ast 解析
Remove eval, replace it with a strict AST-based evaluator or an allowlisted parser, and add tests proving untrusted expressions cannot access Python objects or the filesystem.
A background command could keep running after the user expected the task to be over, consuming resources or exposing services.
The background execution tool can start long-running commands with output discarded unless a log file is chosen, and the artifacts do not show a default timeout or persistent cleanup policy.
description="在后台启动进程,返回进程 ID" ... create_subprocess_shell(command, stdout=asyncio.subprocess.DEVNULL, stderr=asyncio.subprocess.DEVNULL, cwd=cwd)
Require confirmation for background jobs, set default time limits, keep visible logs, and provide reliable stop/cleanup controls across sessions.
Information saved through this skill may be reused later and could affect future agent behavior.
The skill intentionally stores and recalls memory, which is purpose-aligned but creates persistent context that may influence later tasks.
`memory_remember` | 存储记忆 ... `memory_recall` | 检索记忆 ... `memory_dream` | 记忆整合 | `dry_run=false` ... `memory_context` | 上下文记忆
Avoid storing secrets, provide review/delete controls, and make retention and storage location clear to users.
Sensitive context could be shared with MCP servers or influenced by MCP-provided prompts/resources if the server is not trusted.
The MCP tools are disclosed and fit the integration purpose, but they can route prompts, resources, and tool calls through external servers with unclear trust boundaries.
`mcp_discover` | 发现MCP服务 ... `mcp_call` | 调用MCP工具 ... `mcp_resource` | 访问MCP资源 ... `mcp_prompt` | 使用MCP提示词
Use only trusted MCP servers, show the target server/tool before calls, and avoid sending secrets or private files through MCP without explicit approval.