Skill Trust Decision

ClawSentry

Name: ClawSentry Trust Review Report
Item: ClawSentry
Rating: 55
Author: ClawSafe

该技能为合法的 OpenClaw 安全插件安装工具，但代码严重混淆且网络目标指向测试环境，存在供应链风险和权限声明宽泛问题。

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 3

Artifacts 5

Violations 1

Findings 5

Most direct threat evidence

Why this conclusion was reached

1/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

5 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

代码严重混淆 +15

bundle.cjs 为 esbuild 压缩后单行代码，无法直接阅读，增加审计难度

网络目标指向测试环境 +10

baseURL: openclaw-innersit.sdk.access-test.clawsentry.cn 包含 test 环境标识

shell:ADMIN 权限声明宽泛 +10

实际仅需调用 openclaw CLI，但声明了最高 ADMIN 权限

敏感数据通过命令行传递 +5

ApiKey/AppId 通过 execSync 参数传递可能暴露在进程列表

依赖 node-machine-id +5

该包声称不收集 MAC/主机名，但存在第三方依赖风险

Most important evidence

Medium Obfuscation

代码高度混淆难以审计

bundle.cjs 为单行压缩代码（150行压缩为1行），使用变量名替换（a/b/c/d/e/f等），极大增加安全审计难度

scripts/bundle.cjs:1

应要求提供未混淆的源代码进行独立审计

Medium Supply Chain

网络目标指向测试环境

internalConfig.baseURL 指向 'openclaw-innersit.sdk.access-test.clawsentry.cn' 包含 test/innersit 标识，非生产环境域名

scripts/bundle.cjs:1

确认该 URL 为官方正式域名，非测试/开发环境

Medium Priv Escalation

权限声明与实际不符

shell 权限声明为 ADMIN（最高级），但实际仅需调用 openclaw CLI 进行插件管理

SKILL.md:1

权限声明应精确到实际需要的操作类型

Low Sensitive Access

凭证通过命令行参数传递

ApiKey 和 AppId 通过 execSync 命令行参数写入配置文件，可能暴露在 /proc 或审计日志中

scripts/bundle.cjs:1

考虑使用环境变量或 stdin 传递敏感凭证

Low Supply Chain

依赖 node-machine-id 无版本锁定

依赖 node-machine-id ^1.1.12，^ 表示接受次要版本更新，存在供应链风险

scripts/bundle.cjs:1

固定到具体版本并验证哈希

Declared capability vs actual capability

Filesystem Pass

Declared WRITE

→

Inferred WRITE

scripts/bundle.cjs:1 - 压缩代码读写 .state/ 目录

Network Pass

Declared READ

→

Inferred READ+WRITE

scripts/bundle.cjs - HTTPS POST 请求到 API 端点

Shell Block

Declared ADMIN

→

Inferred WRITE

scripts/bundle.cjs - execSync 调用 openclaw 命令，实际仅需 plugin 管理权限

Environment Pass

Declared NONE

→

Inferred NONE

未发现环境变量遍历

Suspicious artifacts and egress

Medium External URL

https://www.volcengine.com/

README.md:61

Medium External URL

https://bytedance.larkoffice.com/share/base/form/shrcngOInnpkzC7OyN1y7QcwQJ8

README.md:67

Medium External URL

https://applink.larkoffice.com/client/chat/chatter/add_by_link?link_token=845sa75d-18de-4b53-a623-42c4db4b25de

README.md:73

Medium External URL

https://openclaw-innersit.sdk.access-test.clawsentry.cn

scripts/bundle.cjs:2

Medium External URL

https://console.clawsentry.cn/ai-assistant-security-dev/openclaw?loginToken=

scripts/bundle.cjs:2

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
node-machine-id	`^1.1.12`	bundle	No	无版本锁定，仅声明不收集 MAC/主机名
fs	`builtin`	node	No	Node.js 内置模块
child_process	`builtin`	node	No	Node.js 内置模块
https	`builtin`	node	No	Node.js 内置模块
crypto	`builtin`	node	No	Node.js 内置模块

File composition

3 files · 150 lines

Markdown 2 files · 139 linesJavaScript 1 files · 11 lines

Files of concern · 3

scripts/bundle.cjs JavaScript · 11 lines

代码高度混淆难以审计 · 网络目标指向测试环境 · 凭证通过命令行参数传递 · 依赖 node-machine-id 无版本锁定 · https://openclaw-innersit.sdk.access-test.clawsentry.cn · https://console.clawsentry.cn/ai-assistant-security-dev/openclaw?loginToken=

README.md Markdown · 80 lines

https://www.volcengine.com/ · https://bytedance.larkoffice.com/share/base/form/shrcngOInnpkzC7OyN1y7QcwQJ8 · https://applink.larkoffice.com/client/chat/chatter/add_by_link?link_token=845sa75d-18de-4b53-a623-42c4db4b25de

SKILL.md Markdown · 59 lines

权限声明与实际不符

Security positives

SKILL.md 文档较为详细，声明了网络目标、本地文件修改和凭证处理行为

设备指纹仅使用本地生成的 UUID 并发送 SHA-256 哈希，未收集真实硬件信息

未发现直接的凭证收割或外传行为

未发现外部 C2 通信或反向 shell

登录状态持久化在本地 .state/ 目录，未强制外传

openclaw CLI 调用符合其作为 OpenClaw 插件安装工具的定位