critical
suspicious.dynamic_code_execution
- Location
- scripts/precheck.py:68
- Finding
- Dynamic code execution detected.
ClawHub Security Scan
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Running the paid command with a valid SkillPay key can charge the user's SkillPay account.
Why it was flagged
The precheck command uses a SkillPay API key to call an external billing charge endpoint. This matches the disclosed paid-skill model, but it is still payment/account authority that users should understand before running.
Skill content
k = api_key or os.environ.get("SKILLPAY_API_KEY") ... headers={"Content-Type": "application/json", "X-API-Key": key} ... return _post("/billing/charge", body, k)Recommendation
Only provide the SkillPay key when you intend to pay for a call; prefer an environment variable over a command-line flag, and the publisher should document SKILLPAY_API_KEY and required billing arguments in the metadata and usage examples.
Findings (4)
critical
suspicious.dynamic_code_execution
- Location
- scripts/review.py:42
- Finding
- Dynamic code execution detected.
critical
suspicious.dynamic_code_execution
- Location
- scripts/scan.py:69
- Finding
- Dynamic code execution detected.
critical
suspicious.exposed_secret_literal
- Location
- scripts/review.py:24
- Finding
- File appears to expose a hardcoded API secret or token.