critical
suspicious.dangerous_exec
- Location
- script/index.js:37
- Finding
- Shell command execution detected (child_process).
local-file-rag-basic
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
First use may fetch and run third-party npm package code silently on the user's machine.
Why it was flagged
The constructor can automatically run npm install through a shell when dependencies are missing, downloading and executing package install behavior without a separate install step or visible prompt.
Skill content
execSync(`npm install --no-save ${missingDeps.join(' ')}`, { cwd: skillDir, stdio: 'ignore', shell: true });Recommendation
Move dependency installation to a reviewed install spec, pin versions, avoid shell:true where possible, show output, and require user approval before installing packages.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A broad or mistaken rootDir could cause the agent to index private files outside the intended project.
Why it was flagged
The search tool accepts a rootDir, switches to that path, and then processes the workspace recursively, with no visible restriction to the current project or explicit approval boundary.
Skill content
if (rootDir && path.resolve(rootDir) !== path.resolve(this.workspaceDir)) { ... this.setupWorkspace(path.resolve(rootDir)); } ... await this.chunker.processWorkspace();Recommendation
Restrict rootDir to the active workspace by default, require explicit user approval for broader paths, and document sensitive-directory exclusions.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Sensitive file content may remain cached locally and be returned into future agent context after the original search.
Why it was flagged
The skill persists indexed file chunks and content into a local SQLite database under the scanned workspace.
Skill content
this.dbDir = path.join(workspaceDir, '.storage'); ... this.dbPath = path.join(this.dbDir, 'code-rag.db'); ... INSERT INTO chunks ... content
Recommendation
Clearly document what is stored, add retention and deletion controls, exclude sensitive files by default, and let users rebuild or remove the index.