critical
suspicious.dangerous_exec
- Location
- diff_engine.js:295
- Finding
- Shell command execution detected (child_process).
Skylv Code Diff Tool
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernMedium Confidence
ASI05: Unexpected Code ExecutionWhat this means
A malicious or mistaken Git argument could execute local commands with the user's permissions when the Git mode is used.
Why it was flagged
The Git command is built as a shell string using interpolated arguments. In a user-invocable agent skill, this can let crafted or poorly validated arguments run unintended shell commands instead of only producing a diff.
Skill content
const out = execSync(`git ${args}`, { cwd: dir, encoding: 'utf8', timeout: 10000 });Recommendation
Do not use the Git mode on untrusted input until it is changed to call git with an argument array, whitelist only safe diff-related options, and reject shell metacharacters.