Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Code Executor
v1.0.0Ejecuta código Python, JavaScript, Bash dinámicamente. El bot puede crear y ejecutar código al vuelo.
⭐ 0· 1.4k·10 current·12 all-time
byMiguel Guerra@miguelguerra200022-sudo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (dynamic code execution in Python/JS/Bash) matches the SKILL.md: it describes generating code, running files, REPLs, and installing runtime deps. That capability legitimately needs access to language runtimes and possibly the filesystem for file-based scripts. However, the SKILL.md references runtime guards (CODE_SANDBOX, CODE_ALLOW_NETWORK, etc.) that are not declared in the registry metadata, which is an inconsistency.
Instruction Scope
Instructions explicitly tell the agent to generate and execute arbitrary code, run scripts from home paths (e.g., run ~/script.py), rename files under arbitrary folders, and install packages with pip. These actions involve reading/writing the local filesystem, executing arbitrary processes, and pulling code from package registries — all high-scope operations. The doc says network access is blocked by default but can be toggled, and confirmations are suggested but not enforced by any declared mechanism.
Install Mechanism
There is no install spec (instruction-only skill), which minimizes disk infection risk from an installer. However, the runtime instructions permit the agent to run package managers (pip, ts-node/npm, sqlite3) to install dependencies at runtime — this allows arbitrary third-party code from package registries to be installed and executed, which is a moderate operational risk if not sandboxed.
Credentials
The SKILL.md enumerates environment controls (CODE_SANDBOX, CODE_TIMEOUT, CODE_ALLOW_NETWORK, CODE_ALLOW_FILESYSTEM, CODE_REQUIRE_CONFIRM) but the skill metadata lists no required env vars or primary credential. That mismatch means the skill expects platform-level env controls that are not declared here; it's unclear who enforces them. The skill itself can read files and run commands without declaring any permission boundaries.
Persistence & Privilege
always:false (normal). The skill is user-invocable and allows model invocation, which is standard. Still, because it enables autonomous code execution, giving it unrestricted autonomous invocation would increase risk — consider restricting autonomous use or requiring explicit user confirmation for all code runs.
What to consider before installing
This skill legitimately does what it says (generate and run code), but that ability is powerful and risky unless the platform enforces a real sandbox. Before installing: (1) Confirm your platform will enforce CODE_SANDBOX, CODE_TIMEOUT, CODE_ALLOW_NETWORK, CODE_ALLOW_FILESYSTEM and not just rely on the skill's text; (2) Require the skill to always ask for explicit user confirmation before executing scripts that modify files or install packages; (3) Block network access by default and only enable it for trusted, short-lived tasks; (4) Avoid granting it autonomous invocation if you don't want it to run code without a user-in-the-loop; (5) If you must use it, run it in an isolated test environment first and audit logs for executed commands and installed packages. The skill's mention of sandbox controls without declaring them in metadata is an inconsistency worth clarifying with the publisher.Like a lobster shell, security has layers — review code before you run it.
latestvk977s81jdzgd9rs264ehf0vx9s82109q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis