critical
suspicious.dangerous_exec
- Location
- scripts/openclaw-hybrid-audit-changeway.js:144
- Finding
- Shell command execution detected (child_process).
openclaw-security-watchdog
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running the skill will execute local audit commands and may collect detailed local diagnostics into reports.
Why it was flagged
The script invokes local CLI/system commands to perform the audit. This is central to the stated purpose, but it means the skill can inspect local system state.
Skill content
result = spawnSync('openclaw', safeArgs, { stdio: 'pipe', encoding: 'utf-8', timeout: 30000 });Recommendation
Run it only when you intend to perform a local security audit, and review the generated report path before sharing report contents.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
If you choose full detection, the remote service can associate your device and installed Skills with a persistent identifier.
Why it was flagged
The optional --push mode sends device identifiers and the installed Skill inventory to the disclosed Changeway service. The instructions require explicit user confirmation and prohibit using --push in cron.
Skill content
⚠️ --push 高风险提示:启用后会向远端发送设备标识(MAC 地址、主机名、持久化 agent_id)和本机完整 Skill 清单
Recommendation
Use the local-only mode for privacy-sensitive environments; choose --push only after reading the disclosure and do not add --push to scheduled jobs.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
If enabled, the audit can run automatically every day and send a summary through the configured OpenClaw announcement channel.
Why it was flagged
The skill can guide the user to create a recurring OpenClaw cron task. The task is disclosed, user-selected, and explicitly excludes --push, but it is persistent automation.
Skill content
openclaw cron add ... --name "changeway-security-audit" ... --cron "45 23 * * *" ... --session "isolated"
Recommendation
Only configure the cron job if you want recurring scans, and use `openclaw cron list` or `openclaw cron remove` to review or remove it later.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Detailed audit artifacts may remain on disk and could reveal local security details to anyone with access to your OpenClaw state directory or backups.
Why it was flagged
The skill persists detailed reports, baselines, and a device identifier under the user's OpenClaw directory. This is disclosed and scoped to local storage.
Skill content
本地写入:扫描报告保存至 ~/.openclaw/security-reports/ ... Skill 哈希基线保存至 ~/.openclaw/skill-hashes/,设备 ID 保存至 ~/.openclaw/.agent-id
Recommendation
Keep your home/OpenClaw directory protected, and delete old reports or the agent_id if you no longer want them retained.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users may need to verify the publisher and dependencies manually before relying on the skill.
Why it was flagged
The registry metadata provides limited provenance and does not declare the Node.js/OpenClaw CLI runtime dependencies described in SKILL.md.
Skill content
Source: unknown; Homepage: none; Required binaries (all must exist): none
Recommendation
Review the included script and publisher identity, and confirm Node.js and the OpenClaw CLI are available before running the audit.