ClawAudit verdict
agent-security-scanner
agent-security-skill-scanner-gitee
Installs a binary scanner from Gitee with sudo system-wide privileges and optionally runs a background daemon process (nohup); while declared as a security scanner, the combination of Gitee-sourced binary + sudo install + persistent daemon warrants elevated scrutiny.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
package_install
Findings (23)
Accesses sensitive system files
docs/CAPABILITIES.md · code · /etc/passwd
Reads /proc/self/environ — dumps all environment variables
docs/CAPABILITIES.md · code · /proc/self/environ
Pipe to python — executes piped content as Python code
SKILL.md · prose · downgraded · | Python
References sudo — requests elevated privileges
SKILL.md · code · sudo
Accesses .ssh directory
docs/CAPABILITIES.md · code · .ssh/
Uses eval() — can execute arbitrary code
docs/CAPABILITIES.md · prose · downgraded · eval(
Dynamic __import__('os') — Python OS command execution
src/engine/smart_pattern_detector.py · prose · downgraded · __import__('os')
Bash /dev/tcp — raw TCP connection via shell
src/engine/smart_pattern_detector.py · prose · downgraded · /dev/tcp/
Accesses AWS credentials file
src/multi_language_scanner_v4.py · prose · downgraded · ~/.aws/credentials
Uses exec() — may execute shell commands
docs/CAPABILITIES.md · prose · downgraded · exec(
os.system/popen — direct OS command execution
docs/CAPABILITIES.md · prose · downgraded · os.system(
subprocess execution — runs system commands from Python
scanner_cli.py · prose · downgraded · subprocess.run(
subprocess with shell=True — command injection vector
src/engine/smart_pattern_detector.py · prose · downgraded · subprocess.Popen(": 12, "subprocess.run(": 6, "subprocess.call(": 6,
"sh
setuid — privilege escalation mechanism
src/engine/smart_pattern_detector.py · prose · downgraded · setuid
Clears shell history — may hide tracks
src/engine/smart_pattern_detector.py · prose · downgraded · history -c
References child_process — can spawn system processes
src/engine/smart_pattern_detector.py · prose · downgraded · child_process
References SSH/GPG private keys
src/multi_language_scanner_v4.py · prose · downgraded · ssh_key
Accesses cloud provider credentials
src/multi_language_scanner_v4.py · prose · downgraded · ~/.aws
pip3 install — installs Python packages at runtime
src/benchmark_full_scan.py · prose · downgraded · pip3 install
Python urllib.request — network access
src/engine/smart_pattern_detector.py · prose · downgraded · urllib.request
Python shutil file operation — copies/moves/deletes files
src/engine/smart_pattern_detector.py · prose · downgraded · shutil.rmtree(
Python os.getenv — reads environment variable
src/llm_analyzer.py · prose · downgraded · os.getenv(
Base64 encoding/decoding
src/llm_analyzer.py · prose · downgraded · base64_decode
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class B/D/E). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
package_install Is this flag fair?
Thanks — recorded.