critical
suspicious.dangerous_exec
- Location
- scripts/parse.js:31
- Finding
- Shell command execution detected (child_process).
Parse YAML/JSON/TOML front-matter from strings or files using the gray-matter library
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
The first use of the skill may fetch and run external package code and persist dependencies locally without a separate install approval step.
Why it was flagged
If gray-matter is missing, simply running the parser downloads and installs an unpinned npm package at runtime. This is purpose-related but bypasses a reviewed, pinned install mechanism and can execute npm dependency installation behavior.
Skill content
execSync('npm install gray-matter', { cwd: scriptsDir, stdio: 'ignore' });Recommendation
Use a reviewed install spec with pinned versions and a lockfile, or require the user to preinstall the dependency explicitly. Avoid runtime npm install, or at minimum use pinned dependencies and consider disabling lifecycle scripts where feasible.