Parse YAML/JSON/TOML front-matter from strings or files using the gray-matter library
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: gray-matter Version: 1.0.0 The skill provides front-matter parsing utilities but includes a high-risk auto-installation feature in `scripts/parse.js` that executes `npm install gray-matter` via `execSync` if the dependency is missing. While this behavior is documented in `SKILL.md` and supports the skill's functionality, the automated execution of shell commands to download and install external packages is a significant security risk (supply chain/RCE). No evidence of intentional malice, data exfiltration, or prompt injection was observed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The first use of the skill may fetch and run external package code and persist dependencies locally without a separate install approval step.
If gray-matter is missing, simply running the parser downloads and installs an unpinned npm package at runtime. This is purpose-related but bypasses a reviewed, pinned install mechanism and can execute npm dependency installation behavior.
execSync('npm install gray-matter', { cwd: scriptsDir, stdio: 'ignore' });Use a reviewed install spec with pinned versions and a lockfile, or require the user to preinstall the dependency explicitly. Avoid runtime npm install, or at minimum use pinned dependencies and consider disabling lifecycle scripts where feasible.