critical
suspicious.dangerous_exec
- Location
- index.js:19
- Finding
- Shell command execution detected (child_process).
Browser Research Lite
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteMedium Confidence
ASI01: Agent Goal HijackWhat this means
A malicious or misleading web page could try to influence the agent if the agent treats page text as instructions instead of evidence.
Why it was flagged
The skill intentionally retrieves and reads external web pages, which can contain untrusted text. The source-quality and cross-checking guidance is helpful, but there is no explicit instruction to treat web page instructions as untrusted.
Skill content
Scan top results and open 2-3 high-quality sources.
Recommendation
Use the browser for evidence gathering only, prefer trusted sources, and ignore any page content that attempts to instruct the agent or change the user’s goal.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Invoking the skill can execute local code from the skill package to check browser availability.
Why it was flagged
The skill runs a local Python helper through a shell command. The command is bounded to the bundled guard script and does not include the user query, so it appears purpose-aligned rather than hidden or destructive.
Skill content
const output = execSync(`python3 "${scriptPath}"`, { encoding: 'utf8', stdio: 'pipe' });Recommendation
Review the bundled helper before installation; maintainers should prefer execFileSync or spawn with an argument array to avoid shell parsing.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
The skill may not work as expected unless Python and the OpenClaw CLI are available and trusted in the local PATH.
Why it was flagged
The guard relies on a local OpenClaw CLI command, and SKILL.md runs the guard with python3, while the registry metadata declares no required binaries. This is an under-declared local dependency, not evidence of malicious behavior.
Skill content
["openclaw", "browser", "status", "--json"]
Recommendation
Document Python and OpenClaw CLI requirements in metadata, and ensure the local CLI being invoked is the expected one.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Recent local agent session logs may be read locally to decide whether browser use is available.
Why it was flagged
The guard reads tails of recent OpenClaw session files matching hle_eval_*.jsonl and counts browser-related strings. It does not print or transmit log contents, but it does touch persistent local agent history.
Skill content
p.add_argument("--sessions-dir", default=os.path.expanduser("~/.openclaw/agents/main/sessions"))Recommendation
Install only if this local log check is acceptable; maintainers should disclose the session-log scan in user-facing documentation and keep output limited to aggregate status.