Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
CyberLens Security Scanner
Security checks across static analysis, malware telemetry, and agentic risk
Overview
CyberLens appears purpose-aligned as a security scanner; the main things to notice are expected cloud/API-key use, local handling of untrusted scan packages, and Python dependency installation.
This looks reasonable to install if you want CyberLens scanning. Use a virtual environment, review resolved Python dependencies, connect your CyberLens account only when cloud scans are needed, keep the API key/config protected, and use local scanning for private targets you do not want sent to a provider. Some implementation files were omitted from the supplied review context, so this assessment is based only on the visible artifacts.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A connected CyberLens API key can authorize cloud scans and consume account quota if exposed or pointed at an untrusted endpoint.
Why it was flagged
Cloud scans use a CyberLens API key and can use a configured API base URL. This is declared and purpose-aligned, but the key is sensitive and should only be sent to trusted CyberLens infrastructure or a trusted proxy.
Skill content
candidate = (api_base or os.environ.get("CYBERLENS_API_BASE_URL") or DEFAULT_API_BASE).strip() ... "X-API-Key": self.api_keyRecommendation
Connect the account only when cloud scans are needed, protect the local config file, and do not set CYBERLENS_API_BASE_URL to a host you do not control or trust.
What this means
Website, repository, or skill URLs submitted for cloud scanning may be visible to the CyberLens service.
Why it was flagged
When cloud mode is used, the scan target URL is sent to the CyberLens provider API. This is disclosed and matches the cloud scanning feature.
Skill content
response = await self._client.post(f"{self.api_base}/scan", json={"url": url})Recommendation
Use local quick scanning for targets you do not want to submit to a provider, and avoid scanning private/internal URLs through cloud mode unless that is acceptable.
What this means
Future dependency changes could affect behavior or introduce dependency risk.
Why it was flagged
The skill relies on external Python packages with lower-bound version ranges rather than pinned exact versions. This is common for Python projects, but it makes installed code depend on package-index state at install time.
Skill content
httpx>=0.25.0 ... pydantic>=2.4.0 ... reportlab>=4.0.0
Recommendation
Install in a virtual environment and consider pinning or reviewing resolved package versions before use in sensitive environments.
What this means
Scanning an untrusted package involves local download and extraction of attacker-supplied files, though no provided artifact shows execution of that code.
Why it was flagged
The scanner intentionally handles untrusted skill packages locally. That behavior is purpose-aligned for a security scanner, but safe archive handling and containment are important.
Skill content
downloads the skill package, extracts it, and analyses the actual source code
Recommendation
Scan only URLs you intend to analyze, keep the skill updated, and use normal caution when handling direct download URLs from unknown sources.