critical
suspicious.dangerous_exec
- Location
- src/index.ts:50
- Finding
- Shell command execution detected (child_process).
Task Notifier
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A crafted agent name, workspace path, or install path containing shell syntax could potentially run unintended local commands when an agent starts or ends.
Why it was flagged
The plugin assembles a shell command string from runtime values such as the agent display name and workspace-derived state directory instead of using execFile/spawn with separate argv and env parameters. Shell metacharacters in those values could change what command is executed under the user's account.
Skill content
execSync(
`AGENT_NAME="${displayName}" STATE_DIR="${stateDir}" "${SHARED_SCRIPT}" ${action} "${message}"`,Recommendation
Replace shell-string execSync with execFileSync or spawn using an argument array and an env object, validate/escape runtime values, and separately escape strings passed into AppleScript.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The plugin may need macOS automation permissions and can locally observe the current foreground app/window title, though the artifacts do not show this data being sent anywhere.
Why it was flagged
The script uses macOS automation to inspect the foreground application/window title so it can suppress notifications while OpenClaw is active. This is purpose-aligned, but it is a local visibility/automation capability users should understand.
Skill content
tell application "System Events" set frontProc to first application process whose frontmost is true set winTitle to name of front window of frontProc
Recommendation
Install only if you are comfortable granting the plugin local macOS automation visibility for notification suppression.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
After setup, it will automatically monitor all agent completions in the background.
Why it was flagged
The plugin is configured to start automatically with OpenClaw. This matches the advertised background notifier behavior, but it means the code continues running across OpenClaw sessions until removed or disabled.
Skill content
"activation": {
"onStartup": true
}Recommendation
Confirm you want a persistent startup plugin, and know how to remove it from the OpenClaw plugin configuration if you no longer want notifications.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users on non-macOS systems, or users expecting an instruction-only skill, may not realize this package includes a runtime plugin that must be manually loaded and runs macOS commands.
Why it was flagged
The registry metadata does not declare the macOS-only runtime requirements or plugin installation behavior, while the source and SKILL.md require macOS tools such as osascript and afplay. This is an under-declared compatibility/provenance issue, not evidence of hidden exfiltration.
Skill content
OS restriction: none Required binaries (all must exist): none Install specifications No install spec — this is an instruction-only skill.
Recommendation
The publisher should declare macOS requirements and plugin/runtime behavior in metadata; users should verify the plugin files before manual installation.