中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 65/100
Last scan:1 day ago Rescan
65 /100
task-progress-stream
Stream long-running task progress into the OpenClaw chat UI
The skill executes arbitrary shell commands through user-controlled input without declaring shell:WRITE capability in SKILL.md, representing a significant undeclared privilege escalation vector.
Skill Nametask-progress-stream
Duration30.7s
Enginepi
Do not install this skill
Do not approve this skill without declaring shell:WRITE capability. The --cmd parameter allows arbitrary command execution which could be exploited for privilege escalation.

Attack Chain 3 steps

Escalation User invokes skill with --cmd parameter
scripts/task_progress_stream.js:265
Escalation Arbitrary command passed to /bin/bash -lc without validation
scripts/task_progress_stream.js:285
Impact Attacker can run: curl|bash from external source, pip install malicious packages, or access system resources
scripts/task_progress_stream.js:285

Findings 3 items

Severity Finding Location
High
Undeclared shell command execution Priv Escalation
The skill accepts a --cmd parameter that is passed directly to /bin/bash without any validation or sanitization. This allows execution of arbitrary shell commands, which is not declared in SKILL.md's allowed tools or capability model.
const child = spawn('/bin/bash', ['-lc', cmd], { cwd, stdio: ['ignore', 'pipe', 'pipe'], detached: true });
→ Declare shell:WRITE capability in SKILL.md metadata, or restrict to specific safe commands, or implement command allowlisting.
 scripts/task_progress_stream.js:285
High
No command validation or sanitization Priv Escalation
The user-supplied command string is executed verbatim through bash -lc without any checks for dangerous operations (pip install, curl|bash, etc.).
spawn('/bin/bash', ['-lc', cmd]
→ Implement input validation or use spawn with argument array instead of shell evaluation to prevent command injection.
 scripts/task_progress_stream.js:285
Medium
Filesystem write operations not declared Doc Mismatch
The skill writes status JSON, Markdown, and log files to a configurable outDir but this filesystem:WRITE usage is not documented.
writeJson(files.json, state); writeText(files.md, renderStatusMarkdown(state));
→ Document filesystem:WRITE usage in SKILL.md or use a temporary directory with auto-cleanup.
 scripts/task_progress_stream.js:234
ResourceDeclaredInferredStatusEvidence
Shell NONE WRITE ✗ Violation scripts/task_progress_stream.js:285 - spawn('/bin/bash', ['-lc', cmd])
Filesystem NONE WRITE ✗ Violation scripts/task_progress_stream.js:279-281 - creates outDir and status files
Network NONE NONE openclaw gateway call is local IPC only

File Tree

2 files · 14.0 KB · 528 lines
JavaScript 1f · 473L Markdown 1f · 55L
├─ 📁 scripts
│ └─ 📜 task_progress_stream.js JavaScript 473L · 12.9 KB
└─ 📝 SKILL.md Markdown 55L · 1.1 KB

Security Positives

✓ No credential harvesting - script does not read API keys, tokens, or passwords
✓ No data exfiltration - only local IPC with openclaw gateway, no external network requests
✓ No obfuscation - code is readable JavaScript without base64 or eval() tricks
✓ No malicious dependencies - no package.json with untrusted packages
✓ Progress parsing is legitimate functionality as documented