Skill Trust Decision
claw-ops-manager
The skill executes arbitrary shell commands via subprocess without explicit declaration, monitors and snapshots sensitive credential paths (~/.ssh, /etc/ssh) without stated justification, and includes documentation examples of destructive commands.
Most direct threat evidence
High Priv Escalation
Undeclared Shell Command Execution The skill executes arbitrary shell commands passed to audited_exec() via subprocess.run(command, shell=True) without declaring shell execution as a capability in SKILL.md
scripts/audited_ops.py:240 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
3 dependency or supply-chain issues need attention.
What drove the risk score up
Undeclared shell execution capability +25
SKILL.md describes audit/logging functionality but the actual implementation executes arbitrary commands via subprocess.run(command, shell=True) without mentioning this in core capabilities
Sensitive path monitoring without justification +20
~/.ssh and /etc/ssh are in auto_snapshot_paths (scripts/audited_ops.py:36-37) and protected_paths (scripts/init.py:114, scripts/monitor.py:91) without clear explanation of why credential directories need auditing
Shell eval execution +15
scripts/audit_wrapper.sh:55 uses 'eval $command' to execute user-provided shell commands
Dangerous command examples in docs +12
COMPLETED_v2.md:10 contains 'rm -rf ~' and MARKETING.md:45 contains 'rm -rf /' as documentation examples showing how the skill describes commands
Most important evidence
High Priv Escalation
Undeclared Shell Command Execution
The skill executes arbitrary shell commands passed to audited_exec() via subprocess.run(command, shell=True) without declaring shell execution as a capability in SKILL.md
scripts/audited_ops.py:240 Declare shell:WRITE capability explicitly in SKILL.md or remove shell execution and only log operations
High Sensitive Access
Sensitive Credential Paths in Auto-Snapshot
~/.ssh and /etc/ssh are included in auto_snapshot_paths list (lines 36-38) which means all SSH keys and configs are automatically copied to snapshot directory on every operation
scripts/audited_ops.py:36 Remove sensitive paths from auto_snapshot_paths unless explicitly required and documented. Snapshots of credential directories create data exposure risk.
High Sensitive Access
Sensitive Paths in Default Protected Paths
~/.ssh and /etc/ssh appear in protected_paths default configuration (scripts/init.py:114) and file monitor (scripts/monitor.py:89-91)
scripts/init.py:114 Provide clear justification for why SSH directories need monitoring, or remove from default configuration
Medium RCE
Shell Eval Usage in Wrapper
audit_wrapper.sh uses 'eval $command' which has security implications when handling untrusted input
scripts/audit_wrapper.sh:55 Replace eval with safer subprocess execution methods with proper argument separation
Medium Doc Mismatch
Dangerous Command Examples in Documentation
COMPLETED_v2.md:10 and MARKETING.md:45 contain 'rm -rf ~' and 'rm -rf /' as documentation examples showing how the skill logs commands
COMPLETED_v2.md:10 Use less destructive commands for documentation examples
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
scripts/audited_ops.py:240 - subprocess.run(command, shell=True) Filesystem Block
Declared READ
→ Inferred WRITE
scripts/audited_ops.py:262-270 - writes files for snapshots Environment Block
Declared NONE
→ Inferred READ
scripts/audited_ops.py:28 - os.environ.get('USER'), scripts/auto_audit.py:26 - os.environ.get('OPENCLAW_SESSION') Suspicious artifacts and egress
Critical Dangerous Command
rm -rf ~ COMPLETED_v2.md:10
Critical Dangerous Command
rm -rf / MARKETING.md:45
Medium External URL
https://img.shields.io/badge/ClawHub-v2.0.0-667eea?style=for-the-badge MARKETING.md:97
Medium External URL
https://clawhub.com/package/claw-ops-manager MARKETING.md:97
Medium External URL
https://img.shields.io/badge/ClawHub-v2.0.0-667eea OPTIMIZED_METADATA.md:101
Medium External URL
https://cdn.plot.ly/plotly-latest.min.js assets/templates/dashboard.html:7
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| flask | not specified | pip | No | Listed in SKILL.md dependencies but not pinned |
| watchdog | not specified | pip | No | Listed in SKILL.md dependencies but not pinned |
| plotly | not specified | pip | No | Listed in SKILL.md dependencies but not pinned |
File composition
27 files · 10830 lines
Python 13 files · 7147 linesHTML 3 files · 1777 linesMarkdown 7 files · 1461 linesShell 2 files · 258 linesJSON 2 files · 187 lines
Files of concern · 3
scripts/snapshot.py assets/templates/dashboard.html https://cdn.plot.ly/plotly-latest.min.js
scripts/audited_ops.py Undeclared Shell Command Execution · Sensitive Credential Paths in Auto-Snapshot
Other files · server_v3.py · server_v2.py · server_full.py · dashboard_v3.html · dashboard_v2.html · describer.py +3
Security positives
No credential harvesting or exfiltration code detected
No network exfiltration to external servers
No base64 encoding or obfuscated malicious code
No reverse shell or C2 communication patterns
No hidden HTML comments with malicious instructions
Includes permission checking before operations
Database uses SQLite with proper schema design
Supports dry-run mode for rollback operations