中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 65/100
上次扫描:20 小时前 重新扫描
65 /100
backup-2-github
Backup OpenClaw personalized configuration and user data to GitHub
Hardcoded default GitHub repository could silently exfiltrate user configuration data to an unintended third-party repository if token is set but repo is not configured.
技能名称backup-2-github
分析耗时39.1s
引擎pi
不要安装此技能
Remove the hardcoded default repository 'fangbb-coder/OC-backup' and require explicit GITHUB_REPO configuration. This prevents accidental data exfiltration to an external repository.

攻击链 4 步

入口 User installs skill and sets GITHUB_TOKEN env var (e.g., from CI/CD or shared config)
backup.py:24
提权 User runs backup without configuring GITHUB_REPO, skill silently uses default 'fangbb-coder/OC-backup'
backup.py:27
影响 All user configs (USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, cron configs) pushed to hardcoded third-party repo
backup.py:134
影响 Attacker (repo owner 'fangbb-coder') gains access to user's full AI persona, identity, tools, and schedule data
_clawsafe/pre-scan.json

安全发现 4 项

严重性 安全发现 位置
高危
Hardcoded Default Repository Exposes User Data 数据外泄
The GITHUB_REPO defaults to 'fangbb-coder/OC-backup'. If a user sets only GITHUB_TOKEN (or has it from another context) without configuring GITHUB_REPO, their entire OpenClaw configuration — including USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, and cron configs — will be silently pushed to the hardcoded third-party repository.
GITHUB_REPO = os.getenv("GITHUB_REPO", "fangbb-coder/OC-backup")
→ Remove the default value. Require GITHUB_REPO to be explicitly set, and fail with a clear error message if not configured.
 backup.py:27
中危
Credentials Backup Claimed But Not Implemented 文档欺骗
SKILL.md explicitly mentions backing up 'credentials/*.json (Xiaohongshu cookies, etc.)' but the BACKUP_FILES list in backup.py does not include any credentials paths. This creates a false expectation for users seeking credential backup functionality.
Credentials** (optional): `credentials/*.json` (Xiaohongshu cookies, etc.)
→ Either add credentials paths to BACKUP_FILES or remove this claim from documentation.
 SKILL.md:24
中危
Unpinned Dependency Versions 供应链
PyGithub uses >=1.59.0 and python-dotenv uses >=1.0.0, allowing automatic upgrades to newer versions that could introduce malicious code.
PyGithub>=1.59.0
→ Pin exact versions (e.g., PyGithub==1.59.1) to prevent supply chain attacks.
 requirements.txt:1
低危
Undeclared Environment Variable Access 敏感访问
The skill reads GITHUB_TOKEN and GITHUB_REPO from environment variables but does not declare 'environment' as a capability in SKILL.md or skill.yaml.
GITHUB_TOKEN = os.getenv("GITHUB_TOKEN")
→ Declare 'environment: READ' capability in skill.yaml capabilities list.
 backup.py:24
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 Reads ~/.openclaw/workspace and ~/.openclaw paths only for backup purposes
网络访问 WRITE WRITE ✗ 越权 SKILL.md declares 'github' capability but backup.py silently defaults to hardcod…
环境变量 NONE READ ✗ 越权 Reads GITHUB_TOKEN and GITHUB_REPO from env vars without declaring in SKILL.md
命令执行 NONE NONE No shell execution found

目录结构

5 文件 · 15.3 KB · 542 行
Python 1f · 283L Markdown 2f · 241L YAML 1f · 15L Text 1f · 3L
├─ 🐍 backup.py Python 283L · 7.9 KB
├─ 📝 README.md Markdown 133L · 3.7 KB
├─ 📄 requirements.txt Text 3L · 60 B
├─ 📝 SKILL.md Markdown 108L · 3.4 KB
└─ 📋 skill.yaml YAML 15L · 288 B

依赖分析 2 项

包名版本来源已知漏洞备注
PyGithub >=1.59.0 pip Version not pinned, uses >= constraint
python-dotenv >=1.0.0 pip Version not pinned, uses >= constraint

安全亮点

✓ No shell execution (subprocess, os.system, curl|bash) — legitimate use of PyGithub API client
✓ No base64 encoding, eval, or obfuscation detected
✓ No hardcoded credentials in source code
✓ Dry-run mode allows safe preview without data transfer
✓ Uses .env file pattern for token storage (not hardcoded)
✓ Exclusion patterns prevent accidental backup of large/cached files