critical
suspicious.dangerous_exec
- Location
- scripts/openclaw-hybrid-audit-changeway.js:165
- Finding
- Shell command execution detected (child_process).
Claw Ctct Security Patrol
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
The skill can execute local inspection commands on the user's machine as part of the audit.
Why it was flagged
The skill runs local commands from Node.js. That is expected for a system security audit, but shell-enabled execution on Windows is a sensitive capability.
Skill content
result = spawnSync('openclaw.cmd', safeArgs, { stdio: 'pipe', encoding: 'utf-8', timeout: 30000, shell: true });Recommendation
Run it only from a trusted source, avoid elevated permissions unless necessary, and prefer local-only mode if you do not need cloud checks.
ConcernHigh Confidence
ASI10: Rogue AgentsWhat this means
If enabled, scans can run every day and send results/data without asking again each time.
Why it was flagged
The documented cron setup creates a recurring autonomous task that runs the audit with --push and announces results to a chat channel.
Skill content
openclaw cron add ... --cron "00 02 * * *" ... --message "... node <skill-path>/scripts/openclaw-hybrid-audit-changeway.js --push ..." ... --announce ... --thinking off
Recommendation
Enable the scheduled task only if you want recurring cloud-enabled scans; otherwise use manual/local mode or remove the cron job with openclaw cron remove.
ConcernMedium Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Your machine identifiers and security-check results may leave your device in full or scheduled mode.
Why it was flagged
Full mode sends scan summaries and device identifiers externally, but the artifacts do not identify the destination endpoint, retention policy, or data boundary. The scheduled cron guide also defaults to --push.
Skill content
发送的数据:每项检查的名称和结果摘要、设备标识(MAC 地址、主机名)、随机生成的 Agent ID
Recommendation
Choose local-only mode for privacy-sensitive environments, and ask the publisher to document the exact endpoint, retention, and deletion controls for --push data.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
Users may underestimate the privacy impact of enabling the recommended --push mode.
Why it was flagged
This privacy reassurance is inconsistent with SKILL.md, which says full mode sends MAC address, hostname, Agent ID, and result summaries.
Skill content
仅上报组件清单,无敏感信息泄露风险
Recommendation
Documentation should consistently list all transmitted fields and avoid saying there is no sensitive-information risk when device identifiers are sent.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
It is harder to confirm exactly which package version is being reviewed or installed.
Why it was flagged
The registry metadata lists version 1.0.0 while _meta.json lists 1.0.5, and the registry source is unknown. This does not prove unsafe behavior, but it is a provenance/version mismatch.
Skill content
"version" : "1.0.5"
Recommendation
Verify the publisher and package version before installing, and prefer a release with a clear source repository or signed provenance.