Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Create Harness Docs
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to be a user-invoked project documentation generator, but users should review the repository changes it creates, especially the GitHub workflow file.
This looks like a benign documentation generator. Run it only from the repository you intend to modify, review the generated AGENTS.md/docs/workflow/test files before committing, and be aware that it runs a local shell command for project analysis.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Running the skill can change the current project by adding documentation, workflow, and test files.
Why it was flagged
The skill discloses that it creates persistent repository files, including a GitHub Actions workflow and test code. This is aligned with its documentation/engineering setup purpose, but these files can affect future project automation and should be reviewed.
Skill content
├── .github/workflows/\n│ └── harness-ci.yml # CI 配置\n└── (Java) src/test/.../ArchitectureTest.java # ArchUnit 测试
Recommendation
Run it only in the intended project directory and review generated files with git diff before committing or enabling CI changes.
What this means
The skill will execute a local shell command when analyzing supported project types.
Why it was flagged
The script invokes a shell command to count files during project analysis. The shown input comes from the script's own project-type patterns and is scoped to the current working directory, so it appears purpose-aligned but still uses shell execution.
Skill content
const { execSync } = require('child_process'); ... execSync(`find . -name "${pattern.split('*')[1]}" -type f 2>/dev/null | wc -l`, { cwd: PROJECT_ROOT, encoding: 'utf-8', timeout: 5000 });Recommendation
Use it in a trusted repository and review the script before running, especially because shell execution is involved.
What this means
Users may need to locate and run the included script manually with Node.js despite the metadata not declaring that requirement.
Why it was flagged
The metadata does not declare a runtime dependency or install path even though SKILL.md documents running a Node.js script. This is an under-declared setup requirement, not evidence of hidden installation behavior.
Skill content
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Recommendation
Confirm the script path and Node.js runtime before use; maintainers should declare the required runtime and correct invocation path in metadata.