https://clawhub.ai/api/v1/skills/responsive-agent/file?path=SKILL.md&version=1.8.1

github.com/clawhub.ai/responsive-agent

Scanned Thu, 28 May 2026 16:43:22 GMT

Scan ID crawl-j9pso5ajhvz9cracu1dj3et3 · 9ms

SCORE 55 / 100

Verdict: Proceed with caution

19 medium findings.

This skill spawns subprocesses outside its declared capabilities plus 18 other issues listed below.

0 critical0 high19 medium-7 rules passed

Why grade C?

score · 55 / 100

The current grade reflects 19 medium findings (6+ MEDs → C).

0 CRIT0 HIGH19 MED0 LOW

To reach a higher grade

B
Reach Btarget score 75
Resolve 14 of 19 MED (cap is 5).
A
Reach Atarget score 95
Resolve 17 of 19 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 174CWE-78

▾

172 - State-modifying (write, commit, deploy, publish)

173 → YES: spawn subagent immediately

174 → NO: still spawn (conservative — when in doubt, spawn)← spawns a subprocess outside declared capabilities

175```

176

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 186CWE-78

▾

1841. Main process uses exec to read the previous task.md:

185 ```

186 exec(command="cat workspace/tasks/{task-id}/task.md", timeout=5)← spawns a subprocess outside declared capabilities

187 ```

1882. Alternative for quick lookup: `memory_search` on the task-id

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 197CWE-78

▾

195- Main process is responsible for maintaining context, not the subagent

196

197**Always spawn (never exec in main process):**← spawns a subprocess outside declared capabilities

198- Remote operations (SSH, remote API calls, HTTP)

199- git push/pull/clone

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 214CWE-78

▾

212```json

213// Short local command (<1s): exec directly, no yield needed

214exec(command="ls /tmp")← spawns a subprocess outside declared capabilities

215

216// Long local command (5-30s): exec + yieldMs

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 217CWE-78

▾

215

216// Long local command (5-30s): exec + yieldMs

217exec(command="some-long-operation.sh", yieldMs=5000, timeout=60)← spawns a subprocess outside declared capabilities

218

219// Long command (>30s, async ok): exec + yieldMs

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 220CWE-78

▾

218

219// Long command (>30s, async ok): exec + yieldMs

220exec(command="moderate-build.sh", yieldMs=10000, timeout=300)← spawns a subprocess outside declared capabilities

221

222// Unknown duration: exec + yieldMs + large timeout

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 223CWE-78

▾

221

222// Unknown duration: exec + yieldMs + large timeout

223exec(command="unknown-task.sh", yieldMs=30000, timeout=600)← spawns a subprocess outside declared capabilities

224

225// Very long command: exec + background + poll

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 226CWE-78

▾

224

225// Very long command: exec + background + poll

226exec(command="very-long-build.sh", background=true, yieldMs=60000, timeout=3600)← spawns a subprocess outside declared capabilities

227```

228

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 276CWE-78

▾

274// ✅ Need result — use yieldMs

275// Inside subagent:

276exec(command="analysis-script.sh", yieldMs=30000, timeout=120)← spawns a subprocess outside declared capabilities

277

278// ✅ Explicitly need NO result — use background=true

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 280CWE-78

▾

278// ✅ Explicitly need NO result — use background=true

279// Inside subagent:

280exec(command="ping -c 100 remote-host", background=true)← spawns a subprocess outside declared capabilities

281// Result: none, process runs independently

282```

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 310CWE-78

▾

308**Want result synchronously (wait in subagent until done)?**

309- Set `yieldMs = timeout` (or omit yieldMs, use timeout only)

310- Example: `exec("short-task.sh", timeout=30)` — waits up to 30s, returns result← spawns a subprocess outside declared capabilities

311

312**Async is fine (background immediately)?**

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 314CWE-78

▾

312**Async is fine (background immediately)?**

313- Set `yieldMs` small (e.g., 5000–10000ms)

314- Example: `exec("long-task.sh", yieldMs=5000, timeout=300)` — bg after 5s, result via push← spawns a subprocess outside declared capabilities

315

316---

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 663CWE-78

▾

661```json

662// Large output scenario

663exec(command="git diff --name-only", yieldMs=10000, timeout=60)← spawns a subprocess outside declared capabilities

664// Result: 50MB of file names → write to file instead

665

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 817CWE-78

▾

815// Layer 1: Main process — always spawn for non-trivial work

816// ❌ Wrong — blocks main process, typing disappears

817exec(command="ssh remote-host ...")← spawns a subprocess outside declared capabilities

818

819// ✅ Correct — non-blocking, typing stays active

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 824CWE-78

▾

822// Inside the spawned subagent (Layer 2):

823// ✅ exec + yieldMs for long local command

824exec(command="some-long-local-script.sh", yieldMs=10000, timeout=300)← spawns a subprocess outside declared capabilities

825

826// ✅ exec + background for very long commands

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 827CWE-78

▾

825

826// ✅ exec + background for very long commands

827exec(command="very-long-build.sh", background=true, yieldMs=60000, timeout=3600)← spawns a subprocess outside declared capabilities

828```

829

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 912CWE-78

▾

9101. First attempt: run clawhub command

9112. If 429: extract Retry-After header (e.g., 60 seconds)

9123. exec(command="sleep {Retry-After}", yieldMs={Retry-After * 1000 + 1000}, timeout={Retry-After + 10})← spawns a subprocess outside declared capabilities

9134. Second attempt: retry the clawhub command

9145. If still 429 after 3 attempts: write error.md, reply to parent with failure

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 929CWE-78

▾

9271. Check for X-RateLimit-Reset header

9282. Calculate wait time: (reset_timestamp - now) + 5 seconds buffer

9293. exec(command="sleep {wait_seconds}", yieldMs={wait_seconds * 1000 + 1000}, timeout={wait_seconds + 30})← spawns a subprocess outside declared capabilities

9304. Retry with Authorization header using token from TOOLS.md

931

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-j9pso5ajhvz9cracu1dj3et3