critical
suspicious.dangerous_exec
- Location
- scripts/market-scan.js:154
- Finding
- Shell command execution detected (child_process).
quotedance-market
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
If enabled, the skill may run curl to contact configured market/news services, including through a configured proxy.
Why it was flagged
The script can execute the local curl binary when normal fetch attempts fail, so it has local command-execution behavior even though it is limited to the market-data fetch workflow.
Skill content
return execFileSync('curl', args, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] });Recommendation
Keep curl fallback enabled only if you trust the local environment and proxy configuration; disable enableCurlFallback in config.json if you do not need it.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Your Quotedance API key or proxy settings may be used for the skill's outbound market-data requests.
Why it was flagged
The code can use environment-provided proxy settings and an API key, but these are expected for accessing the stated market-data service and proxies.
Skill content
process.env.HTTPS_PROXY || process.env.HTTP_PROXY || process.env.ALL_PROXY || ''; ... const key = CONFIG.apiKey || process.env.QUTEDANCE_API_KEY || ''; if (key) headers['X-API-Key'] = key;
Recommendation
Set only the intended API key/proxy values, and consider adding these optional variables to the skill metadata for clearer disclosure.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Cached market/news data may persist across runs and could influence later reports if stale or manually altered.
Why it was flagged
The skill documents persistent local files for historical market snapshots and news-source cache.
Skill content
memory/\n ├── market-YYYY-MM-DD.json # 历史快照\n └── source-cache.json # 资讯源缓存
Recommendation
Review or clear the skill's memory directory if reports appear stale or inconsistent.
Findings (2)
critical
suspicious.env_credential_access
- Location
- scripts/market-scan.js:28
- Finding
- Environment variable access combined with network send.