critical
suspicious.dangerous_exec
- Location
- dist/cli/commands/claude-hook.js:52
- Finding
- Shell command execution detected (child_process).
- Evidence
const child = spawn(process.execPath, [process.argv[1] ?? "", "claude-hook", "--drain-queue"], {
ExperienceEngine
AdvisoryAudited by Static analysis on May 20, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
Findings (22)
critical
suspicious.dangerous_exec
- Location
- dist/cli/commands/codex-hook.js:146
- Finding
- Shell command execution detected (child_process).
- Evidence
const child = spawn(process.execPath, [process.argv[1] ?? "", "codex-hook", "--drain-queue"], {
critical
suspicious.dangerous_exec
- Location
- dist/evaluation/openclaw-scenarios.js:34
- Finding
- Shell command execution detected (child_process).
- Evidence
: spawnSync("openclaw", args, {
critical
suspicious.dangerous_exec
- Location
- dist/install/claude-cli.js:30
- Finding
- Shell command execution detected (child_process).
- Evidence
"const child=cp.spawn(process.execPath,['--no-warnings',path.join(root,'dist/cli/index.js'),'mcp-server'],{stdio:'inherit',env:process.env});",
critical
suspicious.dangerous_exec
- Location
- dist/install/claude-runtime-target.js:133
- Finding
- Shell command execution detected (child_process).
- Evidence
"const child=cp.spawn(process.execPath,['--no-warnings',path.join(root,'dist/cli/index.js'),'claude-hook'],{stdio:'inherit',env:process.env})",
critical
suspicious.dangerous_exec
- Location
- dist/install/codex-cli.js:167
- Finding
- Shell command execution detected (child_process).
- Evidence
export const defaultCodexCommandRunner = (command) => execFileSync(command.bin, command.args, {
critical
suspicious.dangerous_exec
- Location
- dist/install/codex-installer.js:91
- Finding
- Shell command execution detected (child_process).
- Evidence
const result = spawnSync("sh", ["-c", "command -v ee"], {
critical
suspicious.dangerous_exec
- Location
- dist/install/codex-runtime-target.js:159
- Finding
- Shell command execution detected (child_process).
- Evidence
"const child=cp.spawn(process.execPath,['--no-warnings',path.join(root,'dist/cli/index.js'),'codex-hook'],{stdio:'inherit',env:process.env})",
critical
suspicious.dangerous_exec
- Location
- dist/install/host-detection.js:9
- Finding
- Shell command execution detected (child_process).
- Evidence
const result = spawnSync(lookupCommand, [command], {
critical
suspicious.dangerous_exec
- Location
- dist/install/openclaw-cli.js:68
- Finding
- Shell command execution detected (child_process).
- Evidence
return execFileSync(command.bin, command.args, {
critical
suspicious.dangerous_exec
- Location
- dist/install/registry-health.js:7
- Finding
- Shell command execution detected (child_process).
- Evidence
const output = execFileSync(tool, ["config", "get", "registry"], {
critical
suspicious.dangerous_exec
- Location
- dist/maintenance/claude-validate-print.js:150
- Finding
- Shell command execution detected (child_process).
- Evidence
const result = spawnSync(command[0], command.slice(1), {
critical
suspicious.exposed_secret_literal
- Location
- dist/analyzer/llm-learning-gate.js:1196
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
Authorization: `[REDACTED] Credential=${endpoint.accessKeyId}/${credentialScope}, ` +
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/llm-distiller.js:337
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
Authorization: `[REDACTED] Credential=${endpoint.accessKeyId}/${credentialScope}, ` +
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/merge-decider.js:224
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
Authorization: `[REDACTED] Credential=${endpoint.accessKeyId}/${credentialScope}, ` +
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/providers/anthropic.js:7
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED]?.trim();
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/providers/azure-openai.js:7
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED]?.trim();
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/providers/gemini.js:11
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED]?.trim();
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/providers/google-adc.js:41
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
accessToken: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/providers/openai-compatible.js:6
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED]?.trim();
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/providers/openai.js:6
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED]?.trim();
critical
suspicious.exposed_secret_literal
- Location
- dist/distillation/providers/openrouter.js:6
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const apiKey = [REDACTED]?.trim();