critical
suspicious.dangerous_exec
- Location
- index.js:129
- Finding
- Shell command execution detected (child_process).
Elegant Sync
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Private memories, identity details, agent rules, and custom skill contents can be placed in a Git repository; if that repo is public, shared, or compromised, sensitive context and agent behavior data may be exposed or later restored across devices.
Why it was flagged
A default sync collects persistent memory, identity/user files, agent instruction/config files, and whole skill directories, then pushes them to the configured Git remote.
Skill content
const target = args.find(a => !a.startsWith('--')) || 'all'; ... const coreFiles = ['AGENTS.md', 'IDENTITY.md', 'USER.md', 'SOUL.md', 'TOOLS.md', 'HEARTBEAT.md']; ... findMdFiles(memoryDir); ... copyIfExists(skillPath, ... `skills/${skill}`); ... safeExec(`git push ${repoUrl} HEAD:${branch} --force`);Recommendation
Use a private repository, run the dry-run first, inspect exactly what will be staged, and avoid syncing identity files or whole skill directories unless you have verified they contain no secrets.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
A user may trust the “safe” wording and not realize that highly personal OpenClaw context and skill files are still intended to be uploaded.
Why it was flagged
The documentation says sensitive information is not uploaded, while also listing personal memory, identity information, and custom skills as backup content.
Skill content
🔒 安全优先 - 不上传配置文件、密钥、敏感信息 ... | **workspace/memory/** | ⭐ 最重要!个人记忆,无价 | ... | workspace/IDENTITY.md | 身份信息 | ... | workspace/skills/ | 自定义技能 |
Recommendation
Treat the safety claim as incomplete; review the backup contents manually and update the documentation to clearly warn that memory, identity/user files, and skills may contain sensitive data.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A bad or tampered configuration value could change the shell command being run, and local process/command visibility could expose the backup token.
Why it was flagged
Configured values are interpolated into shell command strings rather than passed as separate arguments; this creates command-injection risk from malformed repository/token/instance values and also places the token in the command string.
Skill content
return execSync(cmd, { ...options, encoding: 'utf8', stdio: 'pipe' }); ... const repoUrl = config.BACKUP_REPO.replace('https://', `https://${config.BACKUP_TOKEN}@`); ... safeExec(`git push ${repoUrl} HEAD:${branch} --force`);Recommendation
Use execFile/spawn with an argument array, strictly validate INSTANCE_ID and repository paths, and avoid putting tokens directly in shell command strings.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running sync can overwrite the remote branch state, especially if INSTANCE_ID is misconfigured or collides with an existing branch.
Why it was flagged
Every normal sync force-pushes the selected instance branch, but the user-facing documentation does not clearly warn about the branch-history overwrite behavior.
Skill content
safeExec(`git push ${repoUrl} HEAD:${branch} --force`);Recommendation
Avoid --force by default, use --force-with-lease if needed, and require an explicit confirmation showing the target branch before pushing.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The token can grant write access to the configured repository, and possibly more depending on how it is created.
Why it was flagged
The skill requires a Git hosting token to push backups. This is expected for the stated purpose, but it is a privileged credential and should be scoped carefully.
Skill content
BACKUP_REPO=https://github.com/你的用户名/你的仓库名 BACKUP_TOKEN=ghp_xxx
Recommendation
Use a fine-grained token limited to one private backup repository, grant only the minimum write permissions needed, and rotate it if it may have been exposed.