eventlint
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using an untrusted or malicious license key could run arbitrary code under the user's account.
The decoded JWT/license payload is passed into extract_field and then directly interpolated into a Python command string without escaping. A crafted license token payload could break out of the string and execute Python code during license validation.
payload=$(decode_jwt_payload "$key") ... product=$(extract_field "$payload" "product") ... python3 -c "import json; print(json.loads('$json').get('$field', ''))"Do not use untrusted license tokens. The maintainer should parse JSON by passing data via stdin or an environment variable, avoid constructing Python/Node code with token contents, and verify JWT signatures by default.
The skill can access the EventLint license key stored in your environment or OpenClaw configuration.
The skill reads a license/API key from the EventLint environment variable or the user's OpenClaw config file. This is expected for the paid tiers, but it is sensitive credential handling.
OPENCLAW_CONFIG="${HOME}/.openclaw/openclaw.json" ... cfg.get('skills', {}).get('entries', {}).get('eventlint', {}).get('apiKey', '')Store only the intended EventLint license key, avoid placing other secrets in that field, and prefer a trusted fixed version until the parsing issue is fixed.
Commits or pushes may be delayed or blocked by EventLint scans until findings are addressed or hooks are removed.
The provided lefthook configuration runs EventLint automatically on git commit and push after hook installation. This persistence is disclosed and purpose-aligned, but it changes repository behavior.
pre-commit: ... hook_eventlint_check ... pre-push: ... bash "$EVENTLINT_SKILL_DIR/scripts/dispatcher.sh" --path . --format text
Install hooks only in repositories where you want automatic scanning, and remove or disable the lefthook configuration if it becomes disruptive.
Installing the optional hook integration adds a third-party binary to the local environment.
The skill depends on installing the external lefthook binary through Homebrew. This is coherent with the git hook feature, but users are trusting that package source.
brew | formula: lefthook | creates binaries: lefthook
Install lefthook from a trusted package source and keep it updated; skip hook installation if one-shot scans are sufficient.