clawseccheck

Pipe to sh — executes piped content as shell commands

README.md · prose · downgraded · |sh

Pipe-to-shell pattern (curl | sh) — supply chain attack vector

README.md · prose · downgraded · curl http://<ip> | bash

Pipe to bash — executes piped content as shell commands

README.md · prose · downgraded · | bash

Accesses OpenClaw config/secrets directly

clawseccheck/collector.py · prose · downgraded · ~/.openclaw/openclaw.json

Instructs covert action — may act without user awareness

clawseccheck/coverage.py · prose · downgraded · silently

HTTP request to bare IP address — common in malicious payloads

clawseccheck/dryrun.py · prose · downgraded · http://198.51.100.7

subprocess execution — runs system commands from Python

clawseccheck/native.py · prose · downgraded · subprocess.run(

Accesses system credential store

clawseccheck/report.py · prose · downgraded · keychain

Uses exec() — may execute shell commands

clawseccheck/risk.py · prose · downgraded · exec (

Accesses .ssh directory

clawseccheck/skillast.py · prose · downgraded · .ssh/

References sudo — requests elevated privileges

docs/FAQ.md · prose · downgraded · sudo

References agent memory files

clawseccheck/attest.py · prose · downgraded · MEMORY.md

Python os.environ.get — reads environment variable

clawseccheck/cli.py · prose · downgraded · os.environ.get(

Popular HTTP library — network access

clawseccheck/collector.py · prose · downgraded · got

Sets world-executable permissions

clawseccheck/risk.py · prose · downgraded · chmod 700

Blob URL — may embed executable content

clawseccheck/sar.py · prose · downgraded · blob:

Python urllib.request — network access

clawseccheck/skillast.py · prose · downgraded · urllib.request

Changes file ownership

docs/FAQ.md · prose · downgraded · chown

References agent configuration files

docs/OUTPUT_SCHEMA.md · prose · downgraded · CLAUDE.md