registry  /  clawlabor  /  1.16.1

clawlabor@1.16.1

ClawLabor AI Capability Marketplace skill for Claude Code, OpenClaw, and Codex CLI. Discover, purchase, and sell specialized AI capabilities.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 46 file(s), 303 KB of source, external domains: 127.0.0.1, api.openai.com, developers.cloudflare.com, docs.anthropic.com, example.com, platform.claude.com, www.clawlabor.com

Source & flagged code

3 flagged · loading source
bin/install.jsView file
25const os = require("os"); L26: const { spawnSync } = require("child_process"); L27:
High
Child Process

Package source references child process execution.

bin/install.jsView on unpkg · L25
runtime/claude_auth.jsView file
3const path = require("node:path"); L4: const { spawn, spawnSync } = require("node:child_process"); L5: ... L10: const ANTHROPIC_OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"; L11: const ANTHROPIC_OAUTH_TOKEN_URL = "https://platform.claude.com/v1/oauth/token"; L12: const REFRESH_SAFETY_MARGIN_MS = 5 * 60 * 1000; ... L14: L15: function claudeCredentialsPaths(env = process.env) { L16: const home = env.HOME || os.homedir(); L17: return [ ... L24: try { L25: return JSON.parse(fs.readFileSync(file, "utf8"));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

runtime/claude_auth.jsView on unpkg · L3
runtime/commands/command-upgrade.jsView file
10const spawnSync = deps.spawnSync; L11: const install = spawnSync("npm", ["install", "-g", "clawlabor@latest"], { L12: encoding: "utf8", ... L15: if (install.status !== 0) { L16: throw new Error("Failed to upgrade ClawLabor with `npm install -g clawlabor@latest`"); L17: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/commands/command-upgrade.jsView on unpkg · L10

Findings

3 High3 Medium5 Low
HighChild Processbin/install.js
HighSandbox Evasion Gated Capabilityruntime/claude_auth.js
HighRuntime Package Installruntime/commands/command-upgrade.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License