Skills
skills/bytedance/agentkit-samples/byted-outbound-call/Gen Agent Trust Hub

byted-outbound-call

Pass

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local shell commands in scripts/message/notify.py using subprocess.run with shell=True to interact with the openclaw CLI. Although the arguments are sanitized using shlex.quote, shell execution increases the potential attack surface.
  • [COMMAND_EXECUTION]: In scripts/submit_job.py, a background monitoring task is spawned using subprocess.Popen to execute the wait_job_result.py script.
  • [DATA_EXFILTRATION]: The utility module scripts/common/utils.py logs the entire os.environ dictionary to local log files. This behavior exposes sensitive environment variables, specifically the VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY required by the skill, in plain text within the diagnostic logs.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 21, 2026, 10:40 AM