openclaw

clawhub:openclaw

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Private data read with code execution TOXIC_002

toxic-flow L45

Skill can read private data AND execute arbitrary code. This combination enables credential theft via dynamic code.

[reads_private_data] read "op://Agents/my-agent-wallet/private-key + [executes_code] subprocess.run(

FIX

Add input validation between the user-controlled data source and the security-sensitive sink (e.g., file writes, command execution). Implement allowlisting for acceptable input patterns.

FP?

Likely FP if the user input passes through explicit validation or sanitization before reaching the sensitive operation, and the taint tracker missed the sanitization step.

LOW

Python subprocess execution CMDEXEC_003

command-execution L128

Detects Python subprocess and os.system calls for command execution in skill descriptions

subprocess.run(

FIX

Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.

FP?

Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.