critical
suspicious.dangerous_exec
- Location
- registry_unified.js:58
- Finding
- Shell command execution detected (child_process).
skill-registry-unified
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A remote or locally resolved CLI package could execute with the user’s local account permissions before the user approves any skill installation.
Why it was flagged
On a local miss, the skill runs an npx-based CLI search. Because the metadata declares no required binary or install spec, this creates unclear provenance and may cause unpinned external package code to run during normal use.
Skill content
const p=spawn('npx',['clawdhub','search',s,'--limit','3'],{timeout:30000,stdio:['pipe','pipe','pipe']});Recommendation
Declare and pin the ClawHub CLI dependency, verify its source, and require explicit user approval before first running any npx-based command.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
Users may believe a remote skill has been safety-checked when the included code has effectively passed it without inspection.
Why it was flagged
Remote skills will normally not exist locally before installation, so the vetting function returns true without scanning them. This undercuts the advertised safety-scan step before installation.
Skill content
if(!fs.existsSync(skillPath))return true; ... const safe=await vetSkill(remote); return safe?{type:'toInstall',skill:remote}:{type:'blocked'};Recommendation
Fail closed for uninstalled remote skills until a real vetter or signed ClawHub scan result is available, and clearly label unscanned results as unverified.
NoteMedium Confidence
ASI06: Memory and Context PoisoningWhat this means
An installed skill with misleading triggers could affect which skill is selected in later sessions.
Why it was flagged
The script builds a persistent routing registry from all installed skills and overwrites REGISTRY.md, so inaccurate or malicious skill metadata could influence future routing decisions.
Skill content
const SKILLS_DIR = path.resolve(__dirname, '../../skills'); const REGISTRY_PATH = path.resolve(__dirname, '../../REGISTRY.md'); ... fs.writeFileSync(REGISTRY_PATH, generateRegistry(skills));
Recommendation
Review generated registry entries, keep backups if needed, and regenerate the registry only from trusted installed skills.