BrainASLab
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated FreeSurfer analysis purpose, but it builds and runs MATLAB code from file paths without escaping and references missing MATLAB code that was not included for review.
Review this skill before installing. Its intended FreeSurfer analysis behavior is reasonable, but ask the developer to include the missing MATLAB analysis files, declare the MATLAB dependency, and fix the unsafe construction of MATLAB batch commands from file paths.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously named or untrusted input file could potentially cause unintended MATLAB commands to run on the user's machine.
The input paths are interpolated directly into MATLAB code without escaping or validation, then executed with MATLAB's batch runner. A crafted path containing quotes or MATLAB syntax could change the executed MATLAB commands.
matlab_script = f"""
addpath('matlab');
brain_as_analysis('{lh_path}', '{rh_path}', '{out_dir}');
exit;
"""
subprocess.run([
"matlab", "-batch", matlab_script
])Escape MATLAB string arguments safely, validate that inputs are normal file paths, avoid dynamic code construction where possible, and fail closed on suspicious path characters.
The skill may not work as packaged, or it may execute MATLAB code from an unexpected local directory rather than reviewed package contents.
The code calls a MATLAB function from a relative 'matlab' path, but the provided file manifest contains only SKILL.md and skill.py and no MATLAB helper implementation. This means the core analysis code is unavailable for review and may fail or depend on unreviewed local code.
addpath('matlab');
brain_as_analysis('{lh_path}', '{rh_path}', '{out_dir}');Include the MATLAB helper files in the package, declare MATLAB as a required binary, and pin or document any external analysis dependencies clearly.