Claw Audit

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.potential_exfiltration (+1 more)

Findings (18)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

If approved, the skill may change local OpenClaw security settings.

Why it was flagged

The skill can run an auto-fix script that may change OpenClaw configuration, but the artifact instructs the agent to ask for confirmation first.

Skill content

### Auto-Fix ... `node scripts/auto-fix.mjs` ... **Always ask for confirmation before applying fixes.** Show what will change and let the user approve.

Recommendation

Review the proposed changes before approving auto-fix; prefer dry-run or manual review for important configurations.

Note

ASI03: Identity and Privilege Abuse

What this means

The skill needs local access to configuration and credential-related files to report insecure storage.

Why it was flagged

The config auditor reads local .env files to detect known credential key names. The shown code reports presence/key names, not secret values.

Skill content

const envFile = join(stateDir, ".env"); ... const content = readFileSync(envFile, "utf-8"); ... `Plaintext credential found: ${key}`

Recommendation

Only run it in an environment where you are comfortable with a local audit tool inspecting OpenClaw config and .env files.

Note

ASI10: Rogue Agents

What this means

Watch mode may continue consuming resources and observing local skill/config changes until stopped.

Why it was flagged

The skill includes a long-running/background monitor, but it is disclosed and tied to user requests to watch or monitor.

Skill content

### Watch Mode ... `node scripts/watch.mjs` ... This runs in the background and alerts when new skills are installed or config changes.

Recommendation

Start watch mode only when you want ongoing monitoring, and stop the process when monitoring is no longer needed.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

It may be harder to independently verify where the code came from or compare it with an upstream release.

Why it was flagged

The registry metadata does not provide a source repository or homepage, which weakens provenance for a tool that runs local audit scripts.

Skill content

Source: unknown; Homepage: none

Recommendation

Install only from a trusted registry entry, review the bundled files, and prefer a verified source repository when available.

Note

ASI09: Human-Agent Trust Exploitation

What this means

Users might place too much confidence in the exact implementation claim.

Why it was flagged

Static scan snippets show some internal `execSync` template-literal command wrappers, so this safety guarantee is overstated even though the shown commands appear to run bundled scripts rather than user-provided commands.

Skill content

**No shell injection risk** — external processes use `spawnSync` with argument arrays, never template literals

Recommendation

Treat the README guarantee as imprecise; maintainers should update the wording or replace shell-string execSync calls with argument-array process execution.

Findings (18)

critical

suspicious.dangerous_exec

Location: scripts/audit-config-optimized.mjs:139
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: scripts/audit-config.mjs:123
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: scripts/audit-system.mjs:62
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: scripts/auto-fix.mjs:203
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: scripts/calculate-score.mjs:187
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: scripts/watch.mjs:60
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: tests/audit-system.test.mjs:21
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: tests/basic.test.mjs:19
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: tests/check-integrity.test.mjs:186
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: tests/lib/test-utils.mjs:10
Finding: Shell command execution detected (child_process).

critical

suspicious.dynamic_code_execution

Location: scripts/audit-config-optimized.mjs:303
Finding: Dynamic code execution detected.

critical

suspicious.dynamic_code_execution

Location: scripts/audit-config.mjs:287
Finding: Dynamic code execution detected.

critical

suspicious.dynamic_code_execution

Location: tests/audit-config.test.mjs:31
Finding: Dynamic code execution detected.

critical

suspicious.dynamic_code_execution

Location: tests/scan.test.mjs:36
Finding: Dynamic code execution detected.

warn

suspicious.potential_exfiltration

Location: tests/scan.test.mjs:39
Finding: Sensitive-looking file read is paired with a network send.

warn

suspicious.prompt_injection_instructions

Location: PROJECT.md:70
Finding: Prompt-injection style instruction pattern detected.

warn

suspicious.prompt_injection_instructions

Location: README.md:57
Finding: Prompt-injection style instruction pattern detected.

warn

suspicious.prompt_injection_instructions

Location: SKILL.md:109
Finding: Prompt-injection style instruction pattern detected.