Skill Trust Decision

China Stock Sentiment

Name: China Stock Sentiment Trust Review Report
Item: China Stock Sentiment
Rating: 62
Author: ClawSafe

The skill uses undeclared shell execution (child_process.execSync) to invoke another skill, a capability not declared in SKILL.md's documented allowed-tools or capability model.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 3

Artifacts 2

Violations 2

Findings 3

Most direct threat evidence

SKILL.md presents skill as '舆情监控' using 'web_fetch/web_search' and skill references only Entry · SKILL.md

Hidden shell:WRITE via child_process.execSync runs 'openclaw skill run baidu-hot-cn' Escalation · index.js

Filesystem WRITE to memory/stock-sentiment/reports/ not declared in capability model Escalation · index.js

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

2 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 3 attack-chain steps and 1 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

Attack Chain

SKILL.md presents skill as '舆情监控' using 'web_fetch/web_search' and skill references only

Entry · SKILL.md:1

Hidden shell:WRITE via child_process.execSync runs 'openclaw skill run baidu-hot-cn'

Escalation · index.js:53

Filesystem WRITE to memory/stock-sentiment/reports/ not declared in capability model

Escalation · index.js:139

What drove the risk score up

Undeclared shell execution +20

SKILL.md declares 'web_fetch/web_search' but index.js:53 uses execSync('openclaw skill run baidu-hot-cn') — a shell:WRITE operation not mentioned anywhere in documentation.

Undeclared filesystem WRITE +10

saveReport() writes to memory/stock-sentiment/reports/ via fs.writeFileSync, exceeding the read-oriented '数据存储' description in SKILL.md which only names directories without declaring filesystem:WRITE capability.

Doc-to-code capability mismatch +8

SKILL.md frames baidu-hot-cn as a skill reference, hiding the actual subprocess.execSync mechanism. This is a classic doc-deception pattern.

Most important evidence

High Doc Mismatch

Undeclared shell execution via child_process.execSync

index.js imports child_process and uses execSync to run 'openclaw skill run baidu-hot-cn'. SKILL.md only documents 'web_fetch/web_search' and skill references, never mentioning subprocess/shell execution. This hidden mechanism is a significant doc-to-code mismatch.

index.js:53

Replace execSync with a documented skill-invoke API or runtime mechanism. If shell execution is truly needed, declare shell:WRITE in SKILL.md and document why.

Medium Priv Escalation

Undeclared filesystem WRITE beyond documented scope

SKILL.md's '数据存储' section names directories (memory/stock-sentiment/) but never declares filesystem:WRITE. The saveReport() function writes markdown reports to disk, which is write access beyond the 'read news' framing of the skill.

index.js:139

Declare filesystem:WRITE in SKILL.md capability model if file writes are intentional and necessary for the feature.

Low Doc Mismatch

Marketing content in SKILL.md not in README.md

SKILL.md contains pricing tables, monetization strategies, and development TODOs that mix user-facing marketing with capability documentation, making it harder to identify actual permitted actions.

SKILL.md:89

Keep SKILL.md focused on declared capabilities and permissions only; move monetization and marketing content to README.md.

Declared capability vs actual capability

Filesystem Block

Declared NONE

→

Inferred WRITE

index.js:139 fs.writeFileSync(outputPath, markdown)

Shell Block

Declared NONE

→

Inferred WRITE

index.js:54 execSync('openclaw skill run baidu-hot-cn')

Network Pass

Declared READ

→

Inferred NONE (indirect via subprocess)

No direct network calls; web access delegated to baidu-hot-cn skill via subprocess

Environment Pass

Declared NONE

→

Inferred NONE

No os.environ access detected

Suspicious artifacts and egress

Medium External URL

https://clawhub.ai/skills/china-stock-sentiment/docs

README.md:87

Info Email

[email protected]

README.md:85

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
fs	`builtin`	node	No	Node.js built-in module — no external dependency risk
path	`builtin`	node	No	Node.js built-in module
child_process	`builtin`	node	No	Node.js built-in module — used for execSync

File composition

3 files · 454 lines

Markdown 2 files · 232 linesJavaScript 1 files · 222 lines

Files of concern · 3

index.js JavaScript · 222 lines

Undeclared shell execution via child_process.execSync · Undeclared filesystem WRITE beyond documented scope

SKILL.md Markdown · 133 lines

Marketing content in SKILL.md not in README.md

README.md Markdown · 99 lines

https://clawhub.ai/skills/china-stock-sentiment/docs · [email protected]

Security positives

No credential harvesting (no os.environ iteration, no ~/.ssh, no .env access)

No direct IP network requests or outbound data exfiltration

No obfuscation (no base64, no eval patterns)

No curl|bash or wget|sh remote script execution

No persistence mechanisms (no cron, startup hooks, or backdoors)

execSync command string is hardcoded and not user-injectable

No supply chain risks — only uses Node.js built-in modules (fs, path, child_process)