Skill Trust Decision
token-watchdog
Undeclared shell execution via execSync found in code not mentioned in SKILL.md documentation. The skill claims to 'read .jsonl files directly' but actually executes openclaw CLI commands for alerts and agent control.
Most direct threat evidence
High
Undeclared Shell Execution via execSync The code uses execSync() from child_process module to execute 'openclaw message send' and 'openclaw agent' commands. SKILL.md only mentions reading .jsonl files directly and does not disclose that shell commands are executed.
token-watchdog.mjs:44 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
Undeclared shell execution +20
SKILL.md claims 'reads session .jsonl file directly (no API call needed)' but code uses execSync to run openclaw CLI commands
Hidden functionality +15
Agent pause functionality via 'openclaw agent -m' not mentioned in documentation
External download URL +10
Users instructed to curl script from ddaekeu3-cyber.github.io without integrity verification
Most important evidence
High
Undeclared Shell Execution via execSync
The code uses execSync() from child_process module to execute 'openclaw message send' and 'openclaw agent' commands. SKILL.md only mentions reading .jsonl files directly and does not disclose that shell commands are executed.
token-watchdog.mjs:44 Document execSync usage in SKILL.md. Consider using openclaw SDK/API if available instead of CLI subprocess execution.
High
Agent Control Function Not Declared
The pauseAgent() function can send messages to control the OpenClaw agent. This capability to control agent behavior is not mentioned in documentation.
token-watchdog.mjs:56 Clearly document that this tool can pause/resume the agent and what commands it sends.
Medium
Remote Script Download Without Integrity Check
SKILL.md instructs users to download the script via curl from a GitHub Pages URL without recommending signature verification or checksum validation.
SKILL.md:29 Add instructions for verifying script integrity (e.g., provide SHA256 hash or use signed releases).
Medium
Undeclared File Write Operations
Code writes to ~/.openclaw/workspace/memory/token-watchdog.log and token-watchdog-state.json. SKILL.md only mentions reading session files.
token-watchdog.mjs:83 Document log and state file persistence in SKILL.md.
Low
Hardcoded Telegram Target ID
Telegram target '8616468733' is hardcoded in CONFIG. While this may be expected for a personal tool, it limits flexibility and may not match user's configuration.
token-watchdog.mjs:17 Allow Telegram target configuration via environment variable or CLI argument.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ,WRITE
token-watchdog.mjs:writeFileSync to ~/.openclaw/workspace/memory/ Shell Block
Declared NONE
→ Inferred WRITE
token-watchdog.mjs:44 execSync for openclaw CLI commands Network Pass
Declared READ
→ Inferred READ
Reads session files, sends via openclaw CLI Suspicious artifacts and egress
Medium External URL
https://ddaekeu3-cyber.github.io/synapse-ai/tools/token-watchdog/token-watchdog.mjs SKILL.md:29
Medium External URL
https://ddaekeu3-cyber.github.io/synapse-ai/ SKILL.md:82
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| Node.js built-ins | N/A | builtin | No | Uses only child_process and fs modules |
| openclaw CLI | unknown | external | No | CLI tool invoked via execSync - security depends on openclaw tool integrity |
File composition
3 files · 420 lines
JavaScript 1 files · 328 linesMarkdown 1 files · 82 linesJSON 1 files · 10 lines
Files of concern · 2
token-watchdog.mjs Undeclared Shell Execution via execSync · Agent Control Function Not Declared · Undeclared File Write Operations · Hardcoded Telegram Target ID
SKILL.md Remote Script Download Without Integrity Check · https://ddaekeu3-cyber.github.io/synapse-ai/tools/token-watchdog/token-watchdog.mjs · https://ddaekeu3-cyber.github.io/synapse-ai/
Other files · package.json
Security positives
Core functionality (session cost monitoring) appears legitimate and useful
shellEscape() function provides basic protection against command injection
Uses fs sync operations instead of eval() or dynamic code execution
Session file reading is byte-offset based (incremental reads) - efficient approach
State persistence prevents duplicate alerts on restarts