Skylv Code Diff Tool
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: skylv-code-diff-tool Version: 1.0.0 The skill implements a functional diff and code review tool but contains a critical shell injection vulnerability in `diff_engine.js`. Specifically, the `cmdGit` function uses `child_process.execSync` to execute git commands using unsanitized input from command-line arguments (`gitArgs.join(' ')`), which allows for arbitrary command execution (RCE) if the input is manipulated. While the code appears to serve its stated purpose and lacks explicit evidence of malicious intent or data exfiltration, this high-risk vulnerability makes the bundle unsafe for use in its current state.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken Git argument could execute local commands with the user's permissions when the Git mode is used.
The Git command is built as a shell string using interpolated arguments. In a user-invocable agent skill, this can let crafted or poorly validated arguments run unintended shell commands instead of only producing a diff.
const out = execSync(`git ${args}`, { cwd: dir, encoding: 'utf8', timeout: 10000 });Do not use the Git mode on untrusted input until it is changed to call git with an argument array, whitelist only safe diff-related options, and reject shell metacharacters.