ClawAudit verdict
yidun-skill-sec
Fetches from network AND uses eval/Function
The skill uploads 'code snippets that triggered detections' to as.dun.163.com (NetEase Yidun) with cloud mode enabled by default; while the disclosure is transparent and credentials are excluded, sending code content to a third-party cloud service by default without explicit user consent per-scan is a genuine concern.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Fetches from network AND uses eval/Function — the remote-code-execution pattern (data-flow not verified)
LLM05 · LLM06 · ASI05
Receives external input AND uses eval — the remote code-injection pattern (data-flow not verified)
LLM01 · LLM05 · ASI01 · ASI05
Receives external input AND executes processes — the shape of a command & control channel
LLM05 · LLM06 · ASI10
Reads files AND uses eval/Function — may execute locally stored payloads
LLM05 · LLM06 · ASI05
Encodes data AND uses eval — the obfuscated-execution pattern (atob + eval; data-flow not verified)
LLM05 · ASI05 · ASI10
Accesses agent memory/notes AND makes external network calls — may leak personal data
LLM02 · LLM07 · ASI03 · ASI06
Accesses system credential store AND makes external network calls
LLM02 · ASI03
Reads files, encodes data, AND makes external network calls — the obfuscated-exfiltration pattern (data-flow not verified)
LLM02 · ASI03
Reads local files AND makes external network calls — the capabilities for data exfiltration co-occur (data-flow not verified)
LLM02 · LLM06 · ASI03
Executes processes AND makes external network calls — may exfiltrate command output
LLM02 · LLM06 · ASI03
Accesses credentials AND makes external network calls — potential credential theft
LLM02 · ASI03
Accesses credentials AND encodes data — may obfuscate stolen credentials
LLM02 · ASI03 · ASI04
Accesses agent memory AND makes external network calls — may leak conversation history
LLM02 · LLM07 · ASI06
Permission integrity
credential_access
agent_memory
Findings (16)
Uses eval() — can execute arbitrary code
SKILL.md · prose · downgraded · eval(
References sudo — requests elevated privileges
SKILL.md · code · sudo
setuid — privilege escalation mechanism
SKILL.md · code · setuid
Possible hardcoded credential
SKILL.md · prose · downgraded · api_key = "sk-abc123def456
Accesses .ssh directory
SKILL.md · code · .ssh/
subprocess execution — runs system commands from Python
SKILL.md · code · subprocess.run(
os.system/popen — direct OS command execution
SKILL.md · code · os.system(
subprocess with shell=True — command injection vector
SKILL.md · code · subprocess.run([<SHELL_CMD>], shell=True
Uses exec() — may execute shell commands
SKILL.md · prose · downgraded · exec(
Accesses cloud provider credentials
SKILL.md · prose · downgraded · ~/.aws
Changes file ownership
SKILL.md · code · chown
Popular HTTP library — network access
SKILL.md · code · axios
Python os.environ.get — reads environment variable
SKILL.md · code · os.environ.get(
Python urllib.request — network access
SKILL.md · code · urllib.request
POSTs data to external URL
SKILL.md · code · .post('https://
Sets world-executable permissions
SKILL.md · prose · downgraded · chmod 777
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
Requires 3 system binaries. (1 elevated: curl).
network_outnetwork_indynamic_evalcredential_accessdata_encodingagent_memoryfile_readprocess_execcredential_store Thanks — recorded.