OpenClaw Shield Quick Scan

The skill is highly vulnerable to shell injection and potential arbitrary code execution. The `SKILL.md` defines `target_path` and `scanner_path` as user-controlled inputs, which are then directly substituted into shell commands without explicit sanitization. This allows an attacker to inject arbitrary commands via `target_path` (e.g., `target_path="; rm -rf /"`) or potentially execute an arbitrary script by overriding `scanner_path`. While the `scripts/summarize_report.py` file is benign, the direct command execution with unsanitized user input poses a critical remote code execution risk, classifying it as suspicious due to the severe vulnerability rather than explicit malicious intent within the provided files.