streaming-obs-bootstrap 安全扫描报告 — 可信 | ClawSafe

0 /100

streaming-obs-bootstrap

Rebuild and validate a reusable OBS streaming scene pack via agentic-obs and mcporter

This is a straightforward OBS streaming scene bootstrapper composed entirely of shell-script wrappers around the mcporter CLI tool. No malicious patterns, obfuscation, credential access, or hidden functionality were found.

技能名称streaming-obs-bootstrap

分析耗时31.3s

引擎pi

✓

可以安装

No action required. The skill is safe to use as documented.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares Read; scripts only read workspace overlays
网络访问	`READ`	`READ`	✓ 一致	HTTP server on :8787 is declared in SKILL.md workflow step 2
命令执行	`WRITE`	`WRITE`	✓ 一致	All 7 scripts use shell:WRITE to call mcporter CLI — all documented in SKILL.md …
环境变量	`NONE`	`NONE`	—	No env iteration; only reads OBS_AUDIO_INPUTS, OPENCLAW_WORKSPACE, AGENTIC_OBS_D…
技能调用	`NONE`	`NONE`	—	No inter-skill invocations
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	OBS browser-source URLs are created via mcporter, not accessed directly
数据库	`NONE`	`WRITE`	✓ 一致	obs_target_switch.sh:4 uses sqlite3 to write $HOME/.agentic-obs/db.sqlite — file…

4 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8765/screenshot/stream_monitor

assets/overlays/control-panel.html:127

🔗

中危外部 URL 外部 URL

http://www.w3.org/2000/svg%22

assets/overlays/control-panel.html:129

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8787/streaming/overlays/intro.html

references/networking.md:13

🔗

中危外部 URL 外部 URL

http://$IP:8787

scripts/rebuild_scenes.sh:5

目录结构

24 文件 · 36.7 KB · 1278 行

HTML 11f · 976L Markdown 6f · 168L Shell 7f · 134L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 overlays

│ │ ├─ 📄 analytics.html HTML 90L · 2.1 KB

│ │ ├─ 📄 brb.html HTML 40L · 838 B

│ │ ├─ 📄 chat.html HTML 95L · 2.2 KB

│ │ ├─ 📄 control-panel.html HTML 186L · 5.8 KB

│ │ ├─ 📄 intro.html HTML 59L · 1.7 KB

│ │ ├─ 📄 live_dashboard.html HTML 80L · 1.9 KB

│ │ ├─ 📄 live-dashboard.html HTML 134L · 3.5 KB

│ │ ├─ 📄 outro.html HTML 57L · 1.5 KB

│ │ ├─ 📄 presentation.html HTML 50L · 1.0 KB

│ │ └─ 📄 work_status.html HTML 53L · 1.1 KB

│ └─ 📄 civic-nexus-demo.html HTML 132L · 3.7 KB

├─ ▾ 📁 references

│ ├─ 📝 networking.md Markdown 22L · 648 B

│ ├─ 📝 scene-map.md Markdown 21L · 837 B

│ ├─ 📝 troubleshooting.md Markdown 27L · 786 B

│ └─ 📝 v0.2-features.md Markdown 23L · 762 B

├─ ▾ 📁 scripts

│ ├─ 🔧 apply_audio_baseline.sh Shell 25L · 847 B

│ ├─ 🔧 apply_transition_preset.sh Shell 10L · 332 B

│ ├─ 🔧 obs_target_switch.sh Shell 12L · 417 B

│ ├─ 🔧 rebuild_scenes.sh Shell 32L · 2.5 KB

│ ├─ 🔧 smoke_test_walkthrough.sh Shell 18L · 499 B

│ ├─ 🔧 start_overlay_server.sh Shell 19L · 552 B

│ └─ 🔧 stream_dry_run.sh Shell 18L · 708 B

├─ 📝 PUBLISH.md Markdown 9L · 370 B

└─ 📝 SKILL.md Markdown 66L · 2.2 KB

安全亮点

✓ All 7 shell scripts are thin wrappers around mcporter CLI calls — no raw Python/JS/Ruby execution

✓ No base64, eval(), or atob() patterns anywhere in the codebase

✓ No credential harvesting — scripts only touch OBS-related config in ~/.agentic-obs/db.sqlite

✓ No curl|bash or wget|sh remote script downloads

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths

✓ No obfuscation, dead code, or hidden instructions in HTML comments

✓ No inter-skill invocations or clipboard access

✓ HTML overlays are static display files with no exfiltration logic

✓ Dependencies: No requirements.txt, package.json, or Cargo.toml — skill uses only system tools (mcporter, sqlite3, python3 http.server)