critical
suspicious.dangerous_exec
- Location
- dist/index.js:189
- Finding
- Shell command execution detected (child_process).
- Evidence
uiProcess = spawn('node', ['server.js'], {
WeCanBot Base
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+3 more)
Findings (17)
critical
suspicious.dangerous_exec
- Location
- dist/ui/lib/browser-device-approval.ts:100
- Finding
- Shell command execution detected (child_process).
- Evidence
const listed = String(exec('openclaw', listArgs, {
critical
suspicious.dynamic_code_execution
- Location
- dist/ui/lib/app-installer.ts:50
- Finding
- Dynamic code execution detected.
- Evidence
const dynamicImport = new Function('url', 'return import(url)') as (url: string) => Promise<Record<string, unknown>>;
critical
suspicious.dynamic_code_execution
- Location
- dist/ui/lib/cs-task.ts:44
- Finding
- Dynamic code execution detected.
- Evidence
const dynamicImport = new Function('url', 'return import(url)') as (url: string) => Promise<Record<string, unknown>>;
critical
suspicious.dynamic_code_execution
- Location
- dist/ui/workflows/dynamic-import.ts:6
- Finding
- Dynamic code execution detected.
- Evidence
const dynamicImportModule = new Function(
critical
suspicious.env_credential_access
- Location
- dist/ui/.next/server/app/api/apps/[appId]/install/route.js:1
- Finding
- Environment variable access combined with network send.
- Evidence
"use strict";(()=>{var a={};a.id=7371,a.ids=[7371],a.modules={261:a=>{a.exports=require("next/dist/shared/lib/router/utils/app-paths")},1932:a=>{a.exports=requi...
critical
suspicious.env_credential_access
- Location
- dist/ui/.next/server/app/api/apps/route.js:1
- Finding
- Environment variable access combined with network send.
- Evidence
"use strict";(()=>{var a={};a.id=3374,a.ids=[3374],a.modules={261:a=>{a.exports=require("next/dist/shared/lib/router/utils/app-paths")},1932:a=>{a.exports=requi...
critical
suspicious.env_credential_access
- Location
- dist/ui/.next/server/app/page.js:6
- Finding
- Environment variable access combined with network send.
- Evidence
\`\`\``:b,subtype:"toolCall"})}}if("toolResult"===b&&void 0!==a.result&&null!==a.result){let b;(b="string"==typeof a.result?a.result.trim():JSON.stringify(a.res...
critical
suspicious.env_credential_access
- Location
- dist/ui/.next/server/chunks/3445.js:1
- Finding
- Environment variable access combined with network send.
- Evidence
exports.id=3445,exports.ids=[3445],exports.modules={6634:(a,b)=>{"use strict";Object.defineProperty(b,"__esModule",{value:!0});var c={indexOfUint8Array:function...
critical
suspicious.env_credential_access
- Location
- dist/ui/.next/server/chunks/63.js:13
- Finding
- Environment variable access combined with network send.
- Evidence
Original Message: ${d}`);console.error(`Route ${b} errored during ${c}. These errors are normally ignored and may not prevent the route from prerendering but ar...
critical
suspicious.env_credential_access
- Location
- dist/ui/.next/server/chunks/9608.js:2
- Finding
- Environment variable access combined with network send.
- Evidence
`,"utf8")}function n(a=h.XP){let b=k(a),c=i(l(a).WECANBOT_SERVER_API_TOKEN);if(!c)throw Error(`WECANBOT_SERVER_API_TOKEN is required in ${b}`);return c}function...
critical
suspicious.env_credential_access
- Location
- dist/ui/lib/openclaw.ts:7
- Finding
- Environment variable access combined with network send.
- Evidence
process.env.WS_NO_BUFFER_UTIL = '1';
critical
suspicious.exposed_secret_literal
- Location
- dist/ui/.next/static/chunks/9397-48d0ceb382c67c61.js:1
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
"use strict";(self.webpackChunk_N_E=self.webpackChunk_N_E||[]).push([[9397],{55:(e,t,n)=>{n.d(t,{B:()=>a});var r=n(2835),i=n(4294);let a={partial:!0,tokenize:fu...
warn
suspicious.obfuscated_code
- Location
- dist/ui/.next/server/app/page.js:1
- Finding
- Potential obfuscated payload detected.
- Evidence
(()=>{var a={};a.id=8974,a.ids=[8974],a.modules={261:a=>{"use strict";a.exports=require("next/dist/shared/lib/router/utils/app-paths")},1708:a=>{"use strict";a....
warn
suspicious.obfuscated_code
- Location
- dist/ui/.next/static/chunks/9397-48d0ceb382c67c61.js:1
- Finding
- Potential obfuscated payload detected.
- Evidence
"use strict";(self.webpackChunk_N_E=self.webpackChunk_N_E||[]).push([[9397],{55:(e,t,n)=>{n.d(t,{B:()=>a});var r=n(2835),i=n(4294);let a={partial:!0,tokenize:fu...
warn
suspicious.potential_exfiltration
- Location
- dist/ui/.next/server/chunks/9608.js:9
- Finding
- Sensitive-looking file read is paired with a network send.
- Evidence
`,{mode:384}),this.identity=f,f}readStoredDeviceToken(){try{if(!e().existsSync(this.deviceAuthPath))return null;let a=JSON.parse(e().readFileSync(this.deviceAut...
warn
suspicious.potential_exfiltration
- Location
- dist/ui/lib/openclaw.ts:698
- Finding
- Sensitive-looking file read is paired with a network send.
- Evidence
const parsed = JSON.parse(fs.readFileSync(this.deviceAuthPath, 'utf8')) as DeviceAuthState;