Clawdbot Security Suite.Bak
WarnAudited by ClawScan on May 10, 2026.
Overview
This security skill has a coherent purpose, but its automatic hook appears able to run untrusted tool input through a shell, may fail open, and has provenance/install inconsistencies.
Do not enable the automatic hook until the shell execution, helper-path, and fail-open behavior are fixed. If you still test it, use a sandbox, verify the exact package/source being installed, and review or disable detailed logging.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted tool argument could cause local shell commands to run with the user's agent privileges.
The hook places tool arguments into a shell command string and executes it. User-controlled command, URL, path, or content containing quotes/shell syntax could break out before the validator has a chance to block it.
const fullCommand = `"${CONFIG.securitySkillPath}" ${command} ${args.map(arg => `"${arg}"`).join(' ')}`; const result = execSync(fullCommand, { encoding: 'utf8', timeout: 5000 });Replace execSync shell-string execution with execFile/spawn using an argument array, avoid shell interpretation, and add tests for quoted and metacharacter payloads.
Users may believe the hook is blocking dangerous operations when it may silently allow them if the helper path is wrong or validation fails.
The hook looks for a helper named 'security' while the manifest and docs primarily provide 'security.sh'. If the helper is missing, validation is skipped and tool calls are allowed.
securitySkillPath: join(homedir(), '.clawdbot', 'skills', 'security', 'security') ... if (!existsSync(CONFIG.securitySkillPath)) { ... return { allowed: true }; }Correct the helper path, make installation self-test mandatory, and require explicit user approval or fail closed when validation is unavailable or unclear.
A user or agent following the instructions could install different code than the reviewed package.
The reviewed registry slug is 'clawdbot-security-suite-bak', while the install instructions point to different package names and an unpinned GitHub source, making it unclear which artifact a user would actually install.
clawdhub install clawdbot-security-advanced ... git clone https://github.com/gtrusler/clawdbot-security-suite.git
Use one consistent package name, owner, and source; provide a pinned install spec or release tag; and ensure registry metadata matches the packaged files.
Sensitive information could remain in local security logs and be exposed to anyone or anything that can read those logs.
The hook persistently logs full tool-call arguments to a local file. This is aligned with audit logging, but those arguments may include commands, URLs, paths, prompts, or secrets.
logFile: join(homedir(), '.clawdbot', 'logs', 'security-events.log') ... logSecurityEvent('INFO', `Validating tool call: ${tool}`, { args });Redact secrets and long content before logging, document retention and permissions, and let users disable or scope logging.