critical
suspicious.dangerous_exec
- Location
- index.js:61
- Finding
- Shell command execution detected (child_process).
Catch My Skill
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A malformed or manipulated skill name could cause unsafe shell behavior, and even normal use can change installed skills in the user's OpenClaw environment.
Why it was flagged
The update command takes a command-line skill name and interpolates it into shell commands that clone or install skills, without visible input validation, safe argument passing, or confirmation.
Skill content
const arg = process.argv[3]; ... case 'update': if (arg) updateSkill(arg); ... execSync(`cd ~/.openclaw/workspace/skills && git clone ${repoUrl} 2>/dev/null`, { timeout: 30000 }); ... execSync(`clawhub install ${name}`, { timeout: 30000 });Recommendation
Use safe argument APIs such as spawn/execFile, validate skill names against a strict slug pattern, require explicit confirmation before installs, and restrict updates to trusted, known skills.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Updating through this skill may install or replace agent skills from external sources without strong assurance that the code is the intended version or from the intended owner.
Why it was flagged
The updater fetches skill code from GitHub or ClawHub by name, with no visible pinning, signature/checksum verification, version verification, or source review step.
Skill content
const repoUrl = `https://github.com/${config.githubUsername}/${name}`; ... git clone ${repoUrl} ... catch { execSync(`clawhub install ${name}`, { timeout: 30000 }); }Recommendation
Pin trusted owners and versions, show the exact source before installation, verify integrity where possible, and avoid silently falling back to another install source.
NoteMedium Confidence
ASI10: Rogue AgentsWhat this means
If installed as described, the skill may keep running checks and writing logs in the background.
Why it was flagged
The documentation describes a persistent scheduled job that runs every 30 minutes. It is disclosed and aligned with periodic version checking, but it continues operating outside the immediate user request.
Skill content
自动添加到 crontab: ... */30 * * * * node /path/to/catch-my-skill/index.js check >> /home/orangepi/.openclaw/logs/catch-my-skill.log 2>&1
Recommendation
Confirm whether a crontab entry is actually installed, make scheduling opt-in, and document how to disable or remove the recurring job.