openclaw-continuous-work 安全扫描报告 — 低风险 | ClawSafe

20 /100

openclaw-continuous-work

Continuous execution and optimization pipeline skill for OpenClaw. Runs naming audits, content/link audits, module validation, reference mapping, and encoding normalization on a target directory.

Legitimate OpenClaw continuous-work/optimization skill with minor documentation gap around subprocess invocation; no malicious patterns found.

技能名称openclaw-continuous-work

分析耗时47.4s

引擎pi

✓

可以安装

Add explicit declaration of subprocess usage in SKILL.md allowed-tools section. Otherwise this skill is safe to deploy.

安全发现 3 项

严重性	安全发现	位置
低危	Subprocess shell execution not declared in allowed-tools 文档欺骗 RunOptimizationPipeline.py uses subprocess.run() to invoke local scripts, but SKILL.md does not declare shell:WRITE in its allowed-tools section. Execution is constrained to hardcoded skill-internal paths, so the practical risk is low. `import subprocess` → Add shell:WRITE to allowed tools declaration, or move the pipeline orchestration to inline function calls to avoid subprocess entirely.	`Scripts/RunOptimizationPipeline.py:19`
低危	Broad filesystem scope not declared 文档欺骗 NamingAudit.py and ContentLinkAudit.py accept a target path argument and recursively scan the entire directory tree. SKILL.md does not declare filesystem:READ scope for these operations. `for p in root.rglob('*')` → Document that scripts accept a target directory parameter and perform recursive scans. Declare filesystem:READ scope.	`Scripts/NamingAudit.py:36`
低危	File-writing scripts not declared as requiring filesystem:WRITE 文档欺骗 NormalizeEncoding.py writes normalized UTF-8 bytes back to files; ValidateModuleOrder.py and BuildReferenceMap.py write reports. These require filesystem:WRITE but no allowed-tools declaration exists. `path.write_bytes(new_raw)` → Add filesystem:WRITE to allowed-tools or scope writes to a designated output directory.	`Scripts/NormalizeEncoding.py:25`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✓ 一致	Scripts/RunOptimizationPipeline.py:19 (import subprocess) and line 25 (subproces…
文件系统	`NONE`	`READ`	✓ 一致	NamingAudit.py:36 (root.rglob), ContentLinkAudit.py:52 (root.rglob) — reads file…
文件系统	`NONE`	`WRITE`	✓ 一致	NormalizeEncoding.py:25-29 (writes normalized bytes), ValidateModuleOrder.py:59 …

目录结构

27 文件 · 36.0 KB · 1142 行

Python 8f · 704L Markdown 15f · 381L JSON 4f · 57L

├─ ▾ 📁 References

│ ├─ 📝 AcceptanceTemplate.md Markdown 25L · 609 B

│ ├─ 📋 ConflictReport.json JSON 4L · 63 B

│ ├─ 📝 ConflictReport.md Markdown 13L · 396 B

│ ├─ 📝 ContinuousExecutionDirective.md Markdown 18L · 732 B

│ ├─ 📝 GeneralRules.md Markdown 34L · 1.6 KB

│ ├─ 📋 ModuleGraph.json JSON 29L · 758 B

│ ├─ 📝 ModuleGraph.md Markdown 35L · 938 B

│ ├─ 📋 ModuleOrder.json JSON 18L · 370 B

│ ├─ 📋 ModuleOrderReport.json JSON 6L · 95 B

│ ├─ 📝 ModuleOrderReport.md Markdown 14L · 181 B

│ ├─ 📝 ModuleSystem.md Markdown 33L · 1.3 KB

│ ├─ 📝 ModuleTemplate.md Markdown 16L · 202 B

│ ├─ 📝 OptimizationChecklist.md Markdown 8L · 172 B

│ ├─ 📝 OptimizationDirective.md Markdown 18L · 701 B

│ ├─ 📝 OptimizationRules.md Markdown 19L · 825 B

│ ├─ 📝 QualityRubric.md Markdown 38L · 882 B

│ ├─ 📝 ReferenceMap.md Markdown 31L · 1.1 KB

│ └─ 📝 ReportingTemplate.md Markdown 23L · 536 B

├─ ▾ 📁 Scripts

│ ├─ 🐍 BuildModuleGraph.py Python 80L · 2.3 KB

│ ├─ 🐍 BuildReferenceMap.py Python 90L · 3.1 KB

│ ├─ 🐍 ContentLinkAudit.py Python 100L · 2.6 KB

│ ├─ 🐍 DetectRuleConflicts.py Python 106L · 3.3 KB

│ ├─ 🐍 NamingAudit.py Python 88L · 2.5 KB

│ ├─ 🐍 NormalizeEncoding.py Python 54L · 1.2 KB

│ ├─ 🐍 RunOptimizationPipeline.py Python 90L · 3.7 KB

│ └─ 🐍 ValidateModuleOrder.py Python 96L · 2.9 KB

└─ 📝 SKILL.md Markdown 56L · 3.1 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`Python standard library only`	`N/A`	stdlib	否	No third-party packages in requirements.txt or package.json — uses only json, subprocess, pathlib, re, collections, itertools, argparse, argparse

安全亮点

✓ All scripts use only Python standard library — no third-party dependencies that could introduce supply-chain risk

✓ No network requests (no urllib, requests, httpx, socket to remote IPs)

✓ No credential or environment variable harvesting

✓ No base64/encoded payloads or obfuscation techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, key stores)

✓ subprocess targets are hardcoded local script paths — no arbitrary command injection

✓ File writes are confined to text/UTF-8 normalization or auto-generated markdown/JSON reports

✓ Grep scan found zero matches for credential keywords, reverse shell patterns, or suspicious network patterns