critical
suspicious.dangerous_exec
- Location
- dist/cli/openclaw-cli.js:24
- Finding
- Shell command execution detected (child_process).
- Evidence
const output = execSync(cmd, {
Octo
AdvisoryAudited by Static analysis on May 16, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+2 more)
Findings (19)
critical
suspicious.dynamic_code_execution
- Location
- node_modules/ajv/dist/compile/index.js:88
- Finding
- Dynamic code execution detected.
- Evidence
const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
critical
suspicious.dynamic_code_execution
- Location
- node_modules/ajv/dist/compile/jtd/parse.js:50
- Finding
- Dynamic code execution detected.
- Evidence
const makeParse = new Function(`${names_1.default.scope}`, sourceCode);
critical
suspicious.dynamic_code_execution
- Location
- node_modules/ajv/dist/compile/jtd/serialize.js:49
- Finding
- Dynamic code execution detected.
- Evidence
const makeSerialize = new Function(`${names_1.default.scope}`, sourceCode);
critical
suspicious.dynamic_code_execution
- Location
- node_modules/ajv/lib/compile/index.ts:165
- Finding
- Dynamic code execution detected.
- Evidence
const makeValidate = new Function(`${N.self}`, `${N.scope}`, sourceCode)
critical
suspicious.dynamic_code_execution
- Location
- node_modules/ajv/lib/compile/jtd/parse.ts:69
- Finding
- Dynamic code execution detected.
- Evidence
const makeParse = new Function(`${N.scope}`, sourceCode)
critical
suspicious.dynamic_code_execution
- Location
- node_modules/ajv/lib/compile/jtd/serialize.ts:64
- Finding
- Dynamic code execution detected.
- Evidence
const makeSerialize = new Function(`${N.scope}`, sourceCode)
critical
suspicious.dynamic_code_execution
- Location
- node_modules/har-validator/node_modules/ajv/dist/ajv.bundle.js:426
- Finding
- Dynamic code execution detected.
- Evidence
var makeValidate = new Function(
critical
suspicious.dynamic_code_execution
- Location
- node_modules/har-validator/node_modules/ajv/dist/ajv.min.js:2
- Finding
- Dynamic code execution detected.
- Evidence
(e=>{"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):("undefined"!=typeof window?wind...
critical
suspicious.dynamic_code_execution
- Location
- node_modules/har-validator/node_modules/ajv/lib/compile/index.js:125
- Finding
- Dynamic code execution detected.
- Evidence
var makeValidate = new Function(
critical
suspicious.env_credential_access
- Location
- node_modules/ajv/scripts/get-contributors.js:11
- Finding
- Environment variable access combined with network send.
- Evidence
const {GH_TOKEN_PUBLIC} = process.env
critical
suspicious.exposed_secret_literal
- Location
- dist/src/api-fetch.js:575
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
SecretKey: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- node_modules/aws4/README.md:57
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
Authorization: '[REDACTED] Credential=ABCDEF/20121226/us-east-1/sqs/aws4_request, ...'
critical
suspicious.exposed_secret_literal
- Location
- node_modules/conf/dist/source/index.js:309
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const password = [REDACTED](__classPrivateFieldGet(this, _encryptionKey), initializationVector.toString(), 10000, 32, 'sha512');
critical
suspicious.exposed_secret_literal
- Location
- node_modules/cos-nodejs-sdk-v5/sdk/base.js:3420
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
SecretKey: [REDACTED] || this.options.SecretKey || '',
critical
suspicious.exposed_secret_literal
- Location
- node_modules/cos-nodejs-sdk-v5/sdk/cos.js:90
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
if ([REDACTED] && !this.options.SecretKey) this.options.SecretKey = [REDACTED];
critical
suspicious.exposed_secret_literal
- Location
- node_modules/request/lib/oauth.js:34
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
var consumer_secret_or_private_key = [REDACTED] || oa.oauth_private_key // eslint-disable-line camelcase
critical
suspicious.exposed_secret_literal
- Location
- skills/octo-bot-api/SKILL.md:479
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
SecretKey: [REDACTED],
warn
suspicious.prompt_injection_instructions
- Location
- skills/octo-bot-api/SKILL.md:333
- Finding
- Prompt-injection style instruction pattern detected.
- Evidence
- "Ignore previous instructions and..."