critical
suspicious.dangerous_exec
- Location
- scripts/scene-trigger.js:34
- Finding
- Shell command execution detected (child_process).
Workday Music & Greet
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The skill can run local commands when a scene is triggered.
Why it was flagged
The script runs a shell command using a scene value loaded from config.json. This is expected for controlling music scenes, but unsafe config edits could turn it into broader command execution.
Skill content
execSync(`home-music ${scene.musicScene}`, { stdio: 'inherit', timeout: 15000 });Recommendation
Only use trusted scene names, avoid shell metacharacters in config.json, and prefer a safer implementation such as execFile/spawn with fixed arguments.
What this means
Anyone or anything running the configured cron/script with access to the .env file can send the configured greeting emails through that SMTP account.
Why it was flagged
The skill authenticates to the user's SMTP account to send greeting emails. This is aligned with the email feature, but it grants send-mail authority.
Skill content
auth: { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS }Recommendation
Use an app-specific SMTP password, verify SMTP_HOST/GREET_TO/SMTP_FROM before enabling cron, and protect or remove the .env file when not needed.
What this means
Music changes and greeting emails may continue to run on weekdays until the cron jobs are removed.
Why it was flagged
The setup script prints recurring OpenClaw cron commands for each configured scene. This is the advertised scheduling behavior, but it creates persistent automation if registered.
Skill content
openclaw cron add "${expr}" "node ${scriptPath} ${key}"Recommendation
Review each generated cron entry, confirm the schedule and timezone, and keep a record of how to list and remove these jobs.