critical
suspicious.dangerous_exec
- Location
- index.js:105
- Finding
- Shell command execution detected (child_process).
Arxiv Agentic Verifier
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Untrusted or malicious candidate code could read, modify, or delete local files, access environment variables, use the network, or otherwise act with the user's local permissions.
Why it was flagged
The skill writes caller-supplied code to a local file and executes it with the host Python or Node interpreter. The only containment shown is a 5-second timeout, not a sandbox.
Skill content
fs.writeFileSync(filepath, code); ... const output = execSync(command, { input: input, timeout: 5000, encoding: 'utf-8' });Recommendation
Run this only inside a disposable sandbox, VM, or container with restricted filesystem, network, and environment access. Add explicit user confirmation before executing code and declare the Python/Node execution requirement.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Private problem statements, proprietary code, or secrets embedded in code could be sent to OpenAI.
Why it was flagged
Problem descriptions and candidate code are included in the prompt sent to OpenAI for test generation. This is purpose-aligned, but it is an external provider data flow.
Skill content
Problem:\n${problemDescription}\n\nCode:\n${candidateCode} ... this.openai.chat.completions.create({ messages: [{ role: "user", content: prompt }], model: "gpt-4-turbo-preview"Recommendation
Do not submit confidential code or secrets unless that provider use is acceptable. Document the external data flow clearly for users.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The skill can consume the user's OpenAI quota and make requests under that credential.
Why it was flagged
The skill uses an OpenAI API key for LLM reasoning. This is expected for the stated purpose, and the artifacts do not show hardcoded keys, logging, or unrelated credential use.
Skill content
const key = apiKey || process.env.OPENAI_API_KEY; ... this.openai = new OpenAI({ apiKey: key });Recommendation
Use a dedicated, limited API key and monitor usage. The registry metadata should declare the OPENAI_API_KEY requirement.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
It is harder to verify maintainership, update history, or whether future releases match the reviewed code.
Why it was flagged
The registry record provides no source repository or homepage, so provenance review is limited to the submitted artifacts.
Skill content
Source: unknown Homepage: none
Recommendation
Install only if you trust the publisher and the provided package contents; prefer a public source repository for future review.