critical
suspicious.dynamic_code_execution
- Location
- .claude/worktrees/check/src/core/runner.ts:1023
- Finding
- Dynamic code execution detected.
- Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);
ClawFlow
AdvisoryAudited by Static analysis on May 19, 2026.
Overview
Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access
Findings (15)
critical
suspicious.dynamic_code_execution
- Location
- .claude/worktrees/custom-step/src/core/runner.ts:1065
- Finding
- Dynamic code execution detected.
- Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);
critical
suspicious.dynamic_code_execution
- Location
- .claude/worktrees/edit/src/core/runner.ts:1023
- Finding
- Dynamic code execution detected.
- Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);
critical
suspicious.dynamic_code_execution
- Location
- .internal/docs/first draft openclaw plugin/runner.ts:485
- Finding
- Dynamic code execution detected.
- Evidence
const fn = new Function("input", "state", `"use strict"; return (${node.run});`);
critical
suspicious.dynamic_code_execution
- Location
- dist/core/runner.js:810
- Finding
- Dynamic code execution detected.
- Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);
critical
suspicious.dynamic_code_execution
- Location
- src/core/runner.ts:1065
- Finding
- Dynamic code execution detected.
- Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);
critical
suspicious.env_credential_access
- Location
- .claude/worktrees/check/src/core/runner.ts:125
- Finding
- Environment variable access combined with network send.
- Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides
critical
suspicious.env_credential_access
- Location
- .claude/worktrees/custom-step/src/core/custom-steps.ts:40
- Finding
- Environment variable access combined with network send.
- Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */
critical
suspicious.env_credential_access
- Location
- .claude/worktrees/custom-step/src/core/runner.ts:157
- Finding
- Environment variable access combined with network send.
- Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides
critical
suspicious.env_credential_access
- Location
- .claude/worktrees/edit/src/core/runner.ts:125
- Finding
- Environment variable access combined with network send.
- Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides
critical
suspicious.env_credential_access
- Location
- .internal/docs/first draft openclaw plugin/runner.ts:277
- Finding
- Environment variable access combined with network send.
- Evidence
const apiKey = this.cfg.apiKey ?? process.env.ANTHROPIC_API_KEY;
critical
suspicious.env_credential_access
- Location
- dist/core/custom-steps.d.ts:18
- Finding
- Environment variable access combined with network send.
- Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */
critical
suspicious.env_credential_access
- Location
- dist/core/runner.js:100
- Finding
- Environment variable access combined with network send.
- Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides
critical
suspicious.env_credential_access
- Location
- src/core/custom-steps.ts:40
- Finding
- Environment variable access combined with network send.
- Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */
critical
suspicious.env_credential_access
- Location
- src/core/runner.ts:157
- Finding
- Environment variable access combined with network send.
- Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides