critical
suspicious.dangerous_exec
- Location
- guard.js:23
- Finding
- Shell command execution detected (child_process).
Model Guard
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The skill can automatically change which model your agent uses, which may affect behavior, quality, latency, or cost.
Why it was flagged
The skill shells out to the OpenClaw CLI and can change the configured default model. The commands are purpose-aligned and bounded by hard-coded model choices, but this is still a meaningful control action.
Skill content
return execSync(cmd, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }).trim(); ... run(`openclaw models set ${bestModel}`);Recommendation
Review the hard-coded model list, THRESHOLD, and FALLBACK_MODEL before use, and only run or schedule it if automatic model switching is desired.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
It acts with whatever OpenClaw account/configuration permissions are available in the environment where it runs.
Why it was flagged
The skill uses the user's existing OpenClaw CLI context to read model status and modify the default model. The artifacts do not show credential logging, token handling, or unrelated account access.
Skill content
const statusText = run('openclaw models status'); ... run(`openclaw models set ${FALLBACK_MODEL}`);Recommendation
Run it only in an OpenClaw environment where changing the default model is acceptable, and reset the model manually if you no longer want its choice.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
If scheduled, it may keep changing the default model until the cron or heartbeat configuration is removed.
Why it was flagged
The skill is explicitly intended for recurring execution if the user configures a scheduler. It does not install that persistence itself, but scheduled use would continue changing models over time.
Skill content
- **Auto trigger**: Designed to be run via `cron` or `heartbeat`.
Recommendation
If you schedule it, document where the schedule is configured and how to disable it.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
You have less external context for who maintains the skill or where to verify updates.
Why it was flagged
The skill's provenance is not documented in the provided metadata. The included code is small and reviewable, so this is a provenance note rather than evidence of malicious behavior.
Skill content
Source: unknown; Homepage: none
Recommendation
Review the included source before installing and prefer trusted sources or pinned versions for ongoing use.