Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
React Orchestrator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is an AI task orchestrator, but it includes a Code Mode component that can run generated Node.js/PowerShell code and read or write local files with the user's privileges.
Install only if you specifically need an orchestration library that can execute generated code. Run it in a disposable or tightly scoped workspace, avoid loading sensitive environment variables, require manual approval for file writes and code execution, and review the generated code before allowing Code Mode to run.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If the agent or a user runs Code Mode on unsafe generated code, it could execute local commands, access files, or use network-capable Node/PowerShell libraries with the user's permissions.
Why it was flagged
The Code Mode component writes generated code to a temporary file and executes it through Node.js or PowerShell, including PowerShell ExecutionPolicy Bypass. This is high-impact generated-code execution rather than a contained tool call.
Skill content
const child = spawn('node', [tmpFile], { ... env: { ...process.env }, timeout, }); ... spawn('powershell.exe', ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', tmpFile])Recommendation
Use this only in a trusted, isolated workspace; review generated code before execution; disable PowerShell support if unnecessary; and add a real sandbox or explicit approval gate before any code execution.
What this means
A mistaken or adversarial tool call could read sensitive local files or overwrite files outside the intended project directory.
Why it was flagged
Built-in file-read and file-write templates resolve and operate on caller-provided paths without an allowlist, workspace boundary, or mandatory approval in the converter itself.
Skill content
const filePath = path.resolve(${this._toJson(params.path)}); const content = fs.readFileSync(filePath, 'utf8'); ... fs.writeFileSync(filePath, ${this._toJson(params.content)});Recommendation
Restrict file operations to a configured workspace, deny protected paths by default, require user confirmation for writes, and log exactly which files will be read or changed.
What this means
Environment variables such as API keys, cloud credentials, or session tokens available to the parent process could be read by generated code.
Why it was flagged
The generated-code child process inherits the full environment, not just the specific provider key needed for a tool.
Skill content
env: { ...process.env }Recommendation
Pass a minimal allowlisted environment to child processes, avoid running with sensitive credentials loaded, and require explicit user approval before any code can access provider credentials.
What this means
Users may believe generated code is safely isolated when it can still affect local files and access inherited secrets.
Why it was flagged
The documentation describes the execution as sandboxed, but the provided implementation shows ordinary child processes with inherited environment and broad filesystem access, which may overstate the safety boundary.
Skill content
沙箱执行(子进程隔离)
Recommendation
Describe this as child-process execution rather than a sandbox unless real isolation is added, and clearly warn users about local file, credential, and command-execution risks.
What this means
Dependency resolution could install a newer compatible package version than the author tested, and users have limited source provenance information.
Why it was flagged
The package uses a version range rather than a pinned dependency, and the registry metadata lists the source as unknown. This is not malicious by itself, but it increases provenance review importance for a skill that can execute code.
Skill content
"dependencies": { "zod": "^3.24.0" }Recommendation
Verify the publisher/source, prefer a lockfile or pinned dependency versions, and install in an isolated environment before granting access to sensitive projects.