中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:19 小时前 重新扫描
15 /100
ocas-scout
Structured OSINT research on people, companies, and organizations with provenance-backed briefs, entity resolution, and a tiered source waterfall. Escalates to paid sources only with explicit permission.
ocas-scout is a legitimate OSINT research skill with all capabilities properly declared; the pre-scan base64 flag is a documented GitHub API pattern (not code obfuscation), and the self-update lacks signature verification but this is disclosed in documentation.
技能名称ocas-scout
分析耗时72.5s
引擎pi
可以安装
Approve for use. The unsigned self-update mechanism introduces a theoretical supply-chain risk if the GitHub repo is compromised — consider adding SHA256 hash verification before overwriting local files.

安全发现 3 项

严重性 安全发现 位置
中危
Unsigned self-update overwrites local skill files 供应链
scout.update fetches a tarball from the GitHub repository via gh api and copies all extracted files over the local installation using cp -R. No SHA256 hash, GPG signature, or version pinning is performed. If the GitHub repository is compromised, an attacker can serve malicious files that execute on the host during the next update cycle.
gh api "repos/{owner}/{repo}/tarball/main" > "$TMPDIR/archive.tar.gz"
mkdir "$TMPDIR/extracted"
tar xzf "$TMPDIR/archive.tar.gz" -C "$TMPDIR/extracted" --strip-components=1
cp -R "$TMPDIR/extracted/"* ./
→ Add SHA256 hash verification: fetch gh api .../tarball/main --jq '.sha', then verify the downloaded archive matches before extracting and copying. Alternatively, pin to a specific commit SHA.
 SKILL.md:205
中危
Undeclared network access in skill.json 供应链
scout.update makes gh api network calls to github.com to check versions and download tarballs. skill.json does not declare any network resource access. While documented in SKILL.md, this creates a doc-to-code mismatch for the capability manifest.
"filesystem": { "read": [...], "write": [...] }
→ Add a 'network' declaration to skill.json: { "read": ["api.github.com"] } to match documented behavior.
 skill.json
低危
Cron job auto-registered on initialization 持久化
The init step registers a daily cron job 'scout:update' that runs scout.update (self-update) silently every midnight. While documented, this creates a daily outbound network connection to GitHub without explicit user opt-in beyond initial installation.
Register cron job `scout:update` if not already present
→ Make the update cron job opt-in via config flag (e.g., auto_update: { enabled: false }) rather than registering it unconditionally during init.
 SKILL.md:195
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 skill.json declares read/write to ~/openclaw/data/ocas-scout/ and ~/openclaw/jou…
网络访问 NONE READ ✓ 一致 scout.update calls gh api to fetch remote version and tarball — not declared in …
命令执行 NONE WRITE ✓ 一致 SKILL.md lines 193-201 describe shell commands (mkdir, cp -R, tar, rm -rf) as pa…
环境变量 NONE NONE No os.environ iteration or credential access observed
技能调用 NONE WRITE ✗ 越权 scout.update registers a cron job 'scout:update' via openclaw cron; init registe…
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser tool usage declared or observed
数据库 NONE NONE Emits Signal JSON files to ~/openclaw/db/ocas-elephas/intake/ — filesystem WRITE…
1 严重 2 项发现
🔒
严重 编码执行 Base64 编码执行(代码混淆)
base64 -d
SKILL.md:205
📧
提示 邮箱 邮箱地址
[email protected]
skill.json:6

目录结构

7 文件 · 18.7 KB · 520 行
Markdown 6f · 503L JSON 1f · 17L
├─ 📁 references
│ ├─ 📝 journal.md Markdown 73L · 1.9 KB
│ ├─ 📝 scout_brief_template.md Markdown 35L · 1.0 KB
│ ├─ 📝 scout_schemas.md Markdown 71L · 1.4 KB
│ └─ 📝 scout_source_waterfall.md Markdown 39L · 1.6 KB
├─ 📝 README.md Markdown 59L · 3.2 KB
├─ 📋 skill.json JSON 17L · 892 B
└─ 📝 SKILL.md Markdown 226L · 8.6 KB

安全亮点

✓ No credential theft or environment variable harvesting observed
✓ No base64-encoded runtime code or eval(atob()) obfuscation — the pre-scan flag is a standard GitHub API pattern documented as a description
✓ All primary filesystem access is declared and scoped to specific directories under ~/openclaw/
✓ Tier-based source waterfall with explicit permission gates for paid sources (Tier 3 requires PermissionGrant)
✓ No data exfiltration endpoints or C2 communications
✓ No hidden instructions, HTML comments, or prompt injection vectors
✓ Minimization principle enforced: collects only what the research goal requires
✓ PII suppression supported via minimize_pii constraint
✓ No direct database access — uses filesystem writes for data persistence
✓ Self-update mechanism is fully documented in SKILL.md (no hidden behavior)