中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:17 hr ago Rescan
15 /100
ocas-scout
Structured OSINT research on people, companies, and organizations with provenance-backed briefs, entity resolution, and a tiered source waterfall. Escalates to paid sources only with explicit permission.
ocas-scout is a legitimate OSINT research skill with all capabilities properly declared; the pre-scan base64 flag is a documented GitHub API pattern (not code obfuscation), and the self-update lacks signature verification but this is disclosed in documentation.
Skill Nameocas-scout
Duration72.5s
Enginepi
Safe to install
Approve for use. The unsigned self-update mechanism introduces a theoretical supply-chain risk if the GitHub repo is compromised — consider adding SHA256 hash verification before overwriting local files.

Findings 3 items

Severity Finding Location
Medium
Unsigned self-update overwrites local skill files Supply Chain
scout.update fetches a tarball from the GitHub repository via gh api and copies all extracted files over the local installation using cp -R. No SHA256 hash, GPG signature, or version pinning is performed. If the GitHub repository is compromised, an attacker can serve malicious files that execute on the host during the next update cycle.
gh api "repos/{owner}/{repo}/tarball/main" > "$TMPDIR/archive.tar.gz"
mkdir "$TMPDIR/extracted"
tar xzf "$TMPDIR/archive.tar.gz" -C "$TMPDIR/extracted" --strip-components=1
cp -R "$TMPDIR/extracted/"* ./
→ Add SHA256 hash verification: fetch gh api .../tarball/main --jq '.sha', then verify the downloaded archive matches before extracting and copying. Alternatively, pin to a specific commit SHA.
 SKILL.md:205
Medium
Undeclared network access in skill.json Supply Chain
scout.update makes gh api network calls to github.com to check versions and download tarballs. skill.json does not declare any network resource access. While documented in SKILL.md, this creates a doc-to-code mismatch for the capability manifest.
"filesystem": { "read": [...], "write": [...] }
→ Add a 'network' declaration to skill.json: { "read": ["api.github.com"] } to match documented behavior.
 skill.json
Low
Cron job auto-registered on initialization Persistence
The init step registers a daily cron job 'scout:update' that runs scout.update (self-update) silently every midnight. While documented, this creates a daily outbound network connection to GitHub without explicit user opt-in beyond initial installation.
Register cron job `scout:update` if not already present
→ Make the update cron job opt-in via config flag (e.g., auto_update: { enabled: false }) rather than registering it unconditionally during init.
 SKILL.md:195
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned skill.json declares read/write to ~/openclaw/data/ocas-scout/ and ~/openclaw/jou…
Network NONE READ ✓ Aligned scout.update calls gh api to fetch remote version and tarball — not declared in …
Shell NONE WRITE ✓ Aligned SKILL.md lines 193-201 describe shell commands (mkdir, cp -R, tar, rm -rf) as pa…
Environment NONE NONE No os.environ iteration or credential access observed
Skill Invoke NONE WRITE ✗ Violation scout.update registers a cron job 'scout:update' via openclaw cron; init registe…
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser tool usage declared or observed
Database NONE NONE Emits Signal JSON files to ~/openclaw/db/ocas-elephas/intake/ — filesystem WRITE…
1 Critical 2 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
base64 -d
SKILL.md:205
📧
Info Email 邮箱地址
[email protected]
skill.json:6

File Tree

7 files · 18.7 KB · 520 lines
Markdown 6f · 503L JSON 1f · 17L
├─ 📁 references
│ ├─ 📝 journal.md Markdown 73L · 1.9 KB
│ ├─ 📝 scout_brief_template.md Markdown 35L · 1.0 KB
│ ├─ 📝 scout_schemas.md Markdown 71L · 1.4 KB
│ └─ 📝 scout_source_waterfall.md Markdown 39L · 1.6 KB
├─ 📝 README.md Markdown 59L · 3.2 KB
├─ 📋 skill.json JSON 17L · 892 B
└─ 📝 SKILL.md Markdown 226L · 8.6 KB

Security Positives

✓ No credential theft or environment variable harvesting observed
✓ No base64-encoded runtime code or eval(atob()) obfuscation — the pre-scan flag is a standard GitHub API pattern documented as a description
✓ All primary filesystem access is declared and scoped to specific directories under ~/openclaw/
✓ Tier-based source waterfall with explicit permission gates for paid sources (Tier 3 requires PermissionGrant)
✓ No data exfiltration endpoints or C2 communications
✓ No hidden instructions, HTML comments, or prompt injection vectors
✓ Minimization principle enforced: collects only what the research goal requires
✓ PII suppression supported via minimize_pii constraint
✓ No direct database access — uses filesystem writes for data persistence
✓ Self-update mechanism is fully documented in SKILL.md (no hidden behavior)