BrainASLab
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously named or untrusted input file could potentially cause unintended MATLAB commands to run on the user's machine.
The input paths are interpolated directly into MATLAB code without escaping or validation, then executed with MATLAB's batch runner. A crafted path containing quotes or MATLAB syntax could change the executed MATLAB commands.
matlab_script = f"""
addpath('matlab');
brain_as_analysis('{lh_path}', '{rh_path}', '{out_dir}');
exit;
"""
subprocess.run([
"matlab", "-batch", matlab_script
])Escape MATLAB string arguments safely, validate that inputs are normal file paths, avoid dynamic code construction where possible, and fail closed on suspicious path characters.
The skill may not work as packaged, or it may execute MATLAB code from an unexpected local directory rather than reviewed package contents.
The code calls a MATLAB function from a relative 'matlab' path, but the provided file manifest contains only SKILL.md and skill.py and no MATLAB helper implementation. This means the core analysis code is unavailable for review and may fail or depend on unreviewed local code.
addpath('matlab');
brain_as_analysis('{lh_path}', '{rh_path}', '{out_dir}');Include the MATLAB helper files in the package, declare MATLAB as a required binary, and pin or document any external analysis dependencies clearly.