critical
suspicious.dangerous_exec
- Location
- tools/install_shared_skill.js:25
- Finding
- Shell command execution detected (child_process).
Install Shared Skill
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A crafted skill name, or a mistaken tool invocation, could run arbitrary commands as the local user in the workspace.
Why it was flagged
skillName comes from process.argv[2] and is inserted into a shell command. Shell metacharacters in the skill name could execute additional commands; the same pattern appears in tools/install_skill.js.
Skill content
const command = `clawhub install ${skillName} --workdir ./`; ... exec(command, { cwd: process.env.OPENCLAW_WORKSPACE || process.cwd() }, ...)Recommendation
Use child_process.execFile or spawn with an argument array, validate skill names against a strict slug pattern, reject shell metacharacters, and require user confirmation before running.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
An unwanted or wrong skill could be installed into the shared OpenClaw environment and then be available to other agents.
Why it was flagged
The exposed tool installs an arbitrary named skill into a shared agent environment, but the artifacts do not describe approval, allowlist, version, publisher, or rollback controls.
Skill content
Install OpenClaw skills at the local/system level so they are shared by all agents... Executes: `clawhub install <skill_name> --workdir ./`
Recommendation
Require explicit user approval, show the exact skill/version/publisher before installation, prefer workspace-scoped installs by default, and provide a clear uninstall or rollback path.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
You may install whatever skill the chosen name resolves to, including future or similarly named packages if you do not verify it.
Why it was flagged
Fetching skills from ClawHub is the stated purpose, but installing by name without stated pinning or verification means the user relies on the registry resolution at install time.
Skill content
Uses the clawhub CLI to fetch and install skills... Parameters: `skill_name`
Recommendation
Install only trusted skills, verify publisher/source details, and prefer pinned versions or reviewed skill identifiers when available.
ConcernHigh Confidence
ASI08: Cascading FailuresWhat this means
A flawed or unsafe installed skill could influence all agents that use the shared skill directory.
Why it was flagged
A single install action can affect multiple agents and future sessions, so a bad install is not contained to the current task or workspace.
Skill content
shared by all agents... global OpenClaw skills directory (not workspace-scoped)
Recommendation
Test new skills in a workspace-scoped environment first, require confirmation for shared installs, and keep a documented rollback path.
Findings (2)
critical
suspicious.dangerous_exec
- Location
- tools/install_skill.js:25
- Finding
- Shell command execution detected (child_process).