ClawAudit verdict
test0413-6348
A security audit tool performing static analysis and maintaining append-only local logs; all operations are local and it explicitly does not execute audited skill code.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (21)
Pipe to bash — executes piped content as shell commands
config/risk-rules.json · prose · downgraded · | bash
Pipe to sh — executes piped content as shell commands
config/risk-rules.json · prose · downgraded · | sh
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
config/risk-rules.json · prose · downgraded · curl | sh
Pipe-to-shell pattern (wget | sh)
config/risk-rules.json · prose · downgraded · wget | sh
Recursive delete from root or home — destructive command
config/risk-rules.json · prose · downgraded · rm -rf /
Bash /dev/tcp — raw TCP connection via shell
config/risk-rules.json · prose · downgraded · /dev/tcp/
Accesses sensitive system files
config/risk-rules.json · prose · downgraded · /etc/shadow
Uses eval() — can execute arbitrary code
config/semantic-patterns.json · prose · downgraded · eval(
subprocess execution — runs system commands from Python
config/risk-rules.json · prose · downgraded · subprocess.call(
References child_process — can spawn system processes
config/risk-rules.json · prose · downgraded · child_process
os.system/popen — direct OS command execution
config/risk-rules.json · prose · downgraded · os.system(
setuid — privilege escalation mechanism
config/risk-rules.json · prose · downgraded · setuid
Raw socket connection — low-level network access
config/risk-rules.json · prose · downgraded · socket.connect(
Uses exec() — may execute shell commands
config/semantic-patterns.json · prose · downgraded · exec(
Accesses cloud provider credentials
config/semantic-patterns.json · prose · downgraded · ~/.aws
subprocess with shell=True — command injection vector
scripts/skills_audit.py · prose · downgraded · subprocess.run(argv",
"subprocess.run(argv,",
"subprocess.run(["
Sets world-executable permissions
config/risk-rules.json · prose · downgraded · chmod 777
Python urllib.request — network access
config/risk-rules.json · prose · downgraded · urllib.request
Popular HTTP library — network access
config/risk-rules.json · prose · downgraded · axios
pip3 install — installs Python packages at runtime
config/risk-rules.json · prose · downgraded · pip3 install
Python shutil file operation — copies/moves/deletes files
scripts/skills_audit.py · prose · downgraded · shutil.rmtree(
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/D/E). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
Is this flag fair?
Thanks — recorded.