Is review-manager safe?
https://clawhub.ai/mupengi-bot/review-manager
The review-manager skill is a Korean-language review aggregation tool with significant command injection risk in its Discord notification pipeline. Two scripts use execSync() with insufficiently sanitized user-controlled data (review content from external platforms), creating a potential remote code execution vector. The skill also transmits aggregated business data to Discord and instructs the agent to acquire authentication cookies for commercial platforms.
Category Scores
Findings (9)
HIGH Shell command injection via execSync with user-controlled data -40 ▶
Both check-negative.js and weekly-report.js use execSync() to construct shell commands by interpolating config values and review content into command strings. The Discord message sending uses string concatenation with only basic double-quote escaping (.replace(/"/g, '\"')), which is insufficient to prevent shell injection. Malicious review content scraped from external platforms (attacker-controlled data) flows into these execSync calls, creating a remote code execution vector.
HIGH child_process execSync imported and actively used -20 ▶
Two scripts (weekly-report.js and check-negative.js) import execSync from child_process and use it to execute shell commands. While the current usage targets 'openclaw message send', the pattern of constructing shell commands from data is inherently dangerous and could be modified or exploited.
MEDIUM Outbound data transmission to Discord via shell command -30 ▶
The skill sends aggregated business data (review statistics, negative review alerts, sentiment analysis) to external Discord channels. This data includes review content, ratings, author information, and business analytics. The Discord channel ID is configurable, meaning a malicious config could redirect this data to an attacker's server.
MEDIUM Aggregated business intelligence stored in predictable location -15 ▶
The skill collects and stores detailed business data including customer reviews, sentiment analysis, competitor comparisons, and generated replies in ~/.openclaw/workspace/skills/review-manager/data/. This creates a concentrated target of business-sensitive information accessible to any other skill or process.
MEDIUM Skill instructs agent to use browser tool for credential acquisition -20 ▶
The troubleshooting section instructs the agent to use 'browser tool로 쿠키 획득 후 재사용' (acquire cookies via browser tool and reuse them) for platforms requiring login (Baemin, Coupang). This instructs the agent to capture and store authentication credentials/sessions from external platforms, which could be misused.
LOW Skill requests cron/heartbeat scheduling for persistent execution -5 ▶
The skill instructs users to set up cron jobs or OpenClaw heartbeat integration for periodic automated execution. This establishes persistent code execution outside of user-initiated sessions.
LOW Scripts access user home directory via process.env.HOME -5 ▶
All scripts use process.env.HOME to construct file paths for config loading and data storage. While this is standard practice, it means the scripts operate within the user's home directory and could potentially access or create files in sensitive locations if path traversal were introduced.
INFO Mock implementations with TODO placeholders for real scraping -5 ▶
The scraping functions (collectNaverReviews, collectGoogleReviews, etc.) currently return mock data with TODO comments indicating future implementation. When these are implemented, they will make outbound HTTP requests to external platforms, significantly changing the risk profile.
INFO Connection to 216.150.1.1:443 during monitoring period -15 ▶
Network monitoring captured a TLS connection to 216.150.1.1:443 during the install/monitoring period. This appears to be related to system-level package management (apt/dpkg activity visible in audit logs) rather than skill-initiated activity, but the destination is noted for completeness.