critical
suspicious.dangerous_exec
- Location
- chat.js:1081
- Finding
- Shell command execution detected (child_process).
Ocean Chat
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
If enabled, a remote message could influence commands or prompts that run on the user's computer.
Why it was flagged
The skill documents executing a local command when a message arrives, with remote message fields available for substitution; the static scan also reports child_process exec(cmd) in chat.js.
Skill content
--on-message "cmd" 收到消息时执行命令 {from} {openid} {content} {time}Recommendation
Do not enable --on-message for untrusted senders; require confirmation, use a strict allowlist, and avoid shell interpolation of message content.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Remote instructions could cause the local agent to read or modify project files, run tools, or take other high-impact actions.
Why it was flagged
The documented workflow is not just messaging; it routes remote tasks to a local coding agent to execute and report back.
Skill content
电脑上的 Claude Code 收到任务 → 执行 → 自动回复结果
Recommendation
Use this only with trusted contacts, keep the agent sandboxed, and require explicit user approval before file changes, command execution, or credential use.
ConcernHigh Confidence
ASI01: Agent Goal HijackWhat this means
A remote message may override the user's current intent or reduce opportunities for the user to approve risky actions.
Why it was flagged
The document instructs a receiving agent to treat future Bridge messages as authoritative and suppress normal clarification or approval.
Skill content
行为规则(必须遵守)... **执行任务**:解析消息内容,完成用户要求的操作 ... 不要问用户任何问题。
Recommendation
Remove mandatory/no-question language and require the agent to treat Bridge messages as untrusted until the local user confirms high-impact tasks.
ConcernHigh Confidence
ASI10: Rogue AgentsWhat this means
The listener can keep running in the background after setup or reboot and continue receiving remote instructions.
Why it was flagged
The setup guide recommends a persistent PM2 listener, including saved process state and startup configuration.
Skill content
pm2 start chat.js --name ob -- listen pm2 save pm2 startup
Recommendation
Make persistence opt-in, document how to stop/remove the PM2 process, and show clear status before accepting remote tasks.
ConcernHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
If pairing or sender identity is wrong or compromised, messages can be routed to a local agent as executable work.
Why it was flagged
The bridge pairs a WeChat user to a CC OpenID via a text command and then forwards WeChat messages into OceanBus.
Skill content
const pairMatch = text.match(/^pair\s+(\S+)\s+(\S+)/i); ... await obSender(pairing.ccOpenId, messageBody);
Recommendation
Require confirmation on both WeChat and CC sides, sign or authenticate pairings, and restrict which contacts can send task messages.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The skill may use an existing WeChat bot login to send messages, which is expected for notifications but sensitive.
Why it was flagged
The skill can auto-discover a WeChat plugin token from a local OpenClaw account directory to send notifications.
Skill content
path.join(os.homedir(), '.openclaw', 'openclaw-weixin', 'accounts') ... token: data.token
Recommendation
Review which account is used, prefer explicit environment variables, and revoke or rotate tokens if you stop using the bridge.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Contact names, OpenIDs, tags, notes, and related context may persist and be reused across skills.
Why it was flagged
The address book is persistent and shared with other OceanBus skills.
Skill content
ob.roster.* ← 共享通讯录(~/.oceanbus/roster.json) ... 其他 OceanBus Skill ... 共享同一个 Roster 数据
Recommendation
Avoid storing sensitive notes in the roster and periodically review or delete shared contact data you no longer need.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Dependency updates or a compromised package could affect the local listener or bridge.
Why it was flagged
The skill depends on external npm packages with caret version ranges; this is normal for a Node tool but affects what code runs locally.
Skill content
"dependencies": { "oceanbus": "^0.9.0", "qrcode-terminal": "^0.12.0" }Recommendation
Install from a trusted source, use the provided lockfile where possible, and review dependency updates before running persistent services.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- chat.js:226
- Finding
- File appears to expose a hardcoded API secret or token.