critical
suspicious.dangerous_exec
- Location
- src/index.ts:90
- Finding
- Shell command execution detected (child_process).
Self Evolving Skill
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
An agent could persistently reinforce or change this skill's learned behavior based on arbitrary tool calls, which may affect later tasks.
Why it was flagged
The exposed MCP tool lets an agent execute a skill and trigger learning, with success/value defaults, but the schema does not show approval, scope limits, rollback, or safeguards for behavior-changing operations.
Skill content
skill_execute: { name: 'skill_execute', description: '执行Skill并触发学习' ... success ... default: true ... value ... default: 1.0 }Recommendation
Require explicit user approval for create/execute/save/load operations, constrain allowed skill IDs and contexts, and provide auditable rollback or reset controls.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Incorrect or adversarial task context could be reused later as learned experience, changing future behavior in ways the user may not expect.
Why it was flagged
The skill explicitly caches learned patterns and automatically persists/loads them, but the artifacts do not clearly bound what task context is stored, how long it is retained, or how poisoned learned state is prevented from influencing future tasks.
Skill content
- **经验回放**: 缓存已学模式,降低重复触发 - **持久化**: 经验自动保存/加载
Recommendation
Treat stored learning state as untrusted, keep it in a scoped workspace, document retention and reset behavior, and require review before reusing learned state across tasks.
ConcernMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A user may end up running unreviewed Python code or a differently packaged version to make the skill work.
Why it was flagged
The runtime is designed to execute core/mcp_server.py if present, and other files import core modules, but the provided manifest does not include the core directory. That leaves the main Python behavior outside the reviewed artifact set.
Skill content
const serverPath = join(dirname(__dirname), 'core', 'mcp_server.py'); ... this.process = spawn('python3', [serverPath, '--port', String(this.port), '--storage', this.storageDir]Recommendation
Publish and review the full core implementation with the skill, pin the expected package contents, and avoid executing components that are not included in the reviewed release.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Local Python code may run when the engine initializes.
Why it was flagged
The skill performs local process execution to bridge to a Python MCP server. This is disclosed and purpose-aligned, but users should notice that installing/enabling it may run local code.
Skill content
spawn('python3', [serverPath, '--port', String(this.port), '--storage', this.storageDir], { stdio: ['pipe', 'pipe', 'pipe'] })Recommendation
Only enable it from a trusted package, review the Python server code, and run it in a least-privilege workspace.
NoteMedium Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Task context and embeddings may be passed to a local server process; if that server is exposed or replaced, tool calls could cross an unintended boundary.
Why it was flagged
The TypeScript wrapper sends tool calls to a localhost MCP-style HTTP endpoint, but no authentication or caller-boundary mechanism is shown in the reviewed client code.
Skill content
hostname: 'localhost', port: this.port, path: '/tools', method: 'POST'
Recommendation
Bind the server to localhost only, add caller validation where possible, and avoid sending sensitive context unless the full server implementation is trusted.