critical
suspicious.dynamic_code_execution
- Location
- scripts/analyze_code.py:197
- Finding
- Dynamic code execution detected.
Code Mentor
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
If you run the test helper on untrusted code, that code may execute with your local user permissions.
Why it was flagged
The optional test runner executes pytest, unittest, or Jest against a user-specified target, which necessarily runs local test/project code.
Skill content
cmd = ['python', '-m', 'pytest', self.target, '-v', '--tb=short'] ... cmd = ['npx', 'jest', self.target, '--verbose']
Recommendation
Only run the test helper on projects you trust, preferably in a virtual environment or sandbox for unfamiliar code.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing optional dependencies may fetch newer package versions than the author tested.
Why it was flagged
The optional helper-script dependencies use lower-bound version constraints rather than exact pins.
Skill content
pylint>=2.15.0 pytest>=7.2.0 colorama>=0.4.6
Recommendation
If you use the optional scripts in a sensitive environment, install dependencies in an isolated environment and consider pinning versions yourself.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Learning notes, topics, or insights may persist locally and influence future tutoring sessions.
Why it was flagged
The skill describes persistent progress tracking that can be reused across sessions.
Skill content
Your learning progress is automatically saved to `references/user-progress/learning_log.md` after each session.
Recommendation
Avoid storing sensitive personal or proprietary details in learning progress, and review or delete the learning_log.md file if you do not want persistence.