openbotauth

clawhub:openbotauth

View source

37/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

37/100

HIGH 1

MEDIUM 6

LOW 1

Findings (8)

HIGH

Private key block CRED_005

credential-leak L38

Detects PEM-encoded private keys

-----BEGIN PRIVATE KEY-----

FIX

Remove the private key block from the skill definition. Store private keys in a secrets manager or encrypted volume and reference them via environment variables.

FP?

Likely FP if the match is a documentation example showing the format of a PEM block without a real key body.

MEDIUM

Sensitive file read pattern EXFIL_002

exfiltration L66

Detects reads of sensitive system or credential files

cat ~/.config

FIX

Prevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.

FP?

Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.

MEDIUM

Node.js child process execution CMDEXEC_004

command-execution L445

Detects Node.js child_process methods for command execution

execFileSync("

FIX

Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.

FP?

Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).

MEDIUM

Node.js child process execution CMDEXEC_004

command-execution L446

Detects Node.js child_process methods for command execution

execFileSync("

FIX

Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.

FP?

Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).

MEDIUM

Node.js child process execution CMDEXEC_004

command-execution L459

Detects Node.js child_process methods for command execution

execFileSync("

FIX

Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.

FP?

Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).

MEDIUM

Node.js child process execution CMDEXEC_004

command-execution L460

Detects Node.js child_process methods for command execution

execFileSync("

FIX

Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.

FP?

Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).

MEDIUM

Node.js child process execution CMDEXEC_004

command-execution L462

Detects Node.js child_process methods for command execution

execFileSync("

FIX

Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.

FP?

Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).

LOW

Remote SDK or script fetch as agent input EXTDL_002

external-download L188

Detects fetching remote documentation or code to load as agent context

Fetch session to get  + https://api.openbotauth.org/jwks/YOUR_USERNAME.json

FIX

Pin the SDK or script to a specific version and verify its checksum after download. Prefer installing SDKs via a package manager instead of fetching remote scripts directly.

FP?

Likely FP if the match is documentation showing how to install an official SDK (e.g., Google Cloud SDK, AWS CLI) from its canonical URL.