Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
- Content
return eval(condition, {"__builtins__": {}}, context)
🦊鸽子王 Executive OS
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a very broad autonomous personal OS with background operation, memory/LLM data flows, unsafe dynamic code evaluation, and a flagged hardcoded secret, so it needs review before use.
Install only if you are comfortable reviewing and controlling a broad autonomous OS-like agent. Before enabling it, verify that no hardcoded secrets remain, disable or inspect daemon/cron/Git-hook/heartbeat behavior, avoid enabling event-trigger eval-based automation, and configure LLM/memory features with clear limits on what data may be sent or cached.
Static analysis
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
- Content
spec.loader.exec_module(us_module)
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Content
api_key=[REDACTED](),
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI05: Unexpected Code Execution
High
What this means
A malformed or malicious automation condition could make the agent behave unpredictably or run logic the user did not intend.
Why it was flagged
The automation event trigger evaluates a condition with Python eval. Even with builtins removed, evaluating configurable expressions in an automation system can enable unexpected code-like behavior or denial-of-service if conditions or context are not tightly controlled.
Skill content
return eval(condition, {"__builtins__": {}}, context)Recommendation
Do not enable automation triggers until eval is replaced with a safe expression evaluator and condition sources are clearly restricted.
#
ASI03: Identity and Privilege Abuse
High
What this means
A bundled secret could expose a third-party account or cause the skill to use credentials the user did not explicitly provide.
Why it was flagged
The static scan reports a hardcoded API secret/token in the package, while the registry declares no primary credential or required environment variables.
Skill content
api_key=[REDACTED]()
Recommendation
Remove any hardcoded secrets, rotate the exposed credential if real, and require credentials through declared user-controlled configuration or environment variables.
#
ASI10: Rogue Agents
Medium
What this means
If enabled, the skill could keep operating in the background or trigger work outside the immediate user request.
Why it was flagged
The skill advertises automatic operation through Git hooks, daemon management, and heartbeat execution, which are persistence/background-control mechanisms.
Skill content
- **自动运行**: Git钩子、守护进程管理器、心跳执行器
Recommendation
Require explicit opt-in for any daemon, cron, heartbeat, or Git hook setup; document how to inspect, pause, and fully remove those mechanisms.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
Private conversations or personal profile information could be sent to an external model provider if the feature is used.
Why it was flagged
The LLM client can send full conversation text to a configured external LLM provider using API credentials, but the registry does not declare those credentials or explain the data boundary.
Skill content
self.base_url = llm_config.get("base_url") or os.environ.get("LLM_BASE_URL", "") ... prompt = prompts.get(task, prompts["summarize"]).format(conversation=conversation) ... response = self.chat(messages, max_tokens=1000, temperature=0.3)Recommendation
Clearly disclose external LLM use, declare required credentials, let users choose the provider, and add controls for what conversation data may be transmitted.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Sensitive information inferred or returned by the model may remain on disk and be reused later without the user realizing it.
Why it was flagged
The LLM engine persists model output in a local OpenClaw cache. For a personal memory OS, cached responses may contain sensitive user context, and the artifacts do not define retention, deletion, or exclusion rules.
Skill content
self.cache_dir = Path.home() / ".openclaw" / "memory-tdai" / ".cache" ... file.write_text(json.dumps({"content": content}))Recommendation
Document cache contents, retention, and deletion behavior; provide opt-out or clear-cache controls; avoid storing sensitive content by default.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
If self-extension is enabled, new capabilities may be introduced into the agent’s environment and could expand what it can do.
Why it was flagged
The skill includes a self-extension path that can search for and sandbox new capabilities. The shown code marks it as approval-required, which is a useful guard, but it is still a supply-chain-sensitive capability.
Skill content
requires_approval=True ... steps=base_steps + ["detect_capability_gap", "search_solution", "sandbox_new_capability"]
Recommendation
Keep self-extension disabled unless needed, require explicit approval for each new capability, and verify trusted sources, signatures, and sandbox boundaries.