中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
agent-optimize
Agent optimization diagnostic skill - analyzes OpenClaw status, identifies context bloat, skill noise, memory redundancy, and config conflicts
Agent optimization diagnostic tool with legitimate functionality. Reads .env files for config analysis but does not exfiltrate credentials. Minor documentation gaps regarding credential-adjacent file access.
技能名称agent-optimize
分析耗时42.5s
引擎pi
可以安装
This skill is safe for use. Consider clarifying in documentation that .env files are read only for key name analysis, not value extraction. The hardcoded admin path '/home/admin/.npm-global' should be parameterized.

安全发现 2 项

严重性 安全发现 位置
低危
.env file access not explicitly documented 文档欺骗
The diagnoseConfig() function reads .env files (line 237) but SKILL.md capabilities section only mentions 'skill-configs, session-logs, memory-files' for analyze. While filesystem:READ covers this, explicit documentation would improve transparency.
path.join(PATHS.workspace, '.env')
→ Add '.env' to the declared analyze paths or explicitly document env file reading in SKILL.md
 src/index.js:237
低危
Hardcoded admin user path 敏感访问
PATHS.npmGlobal uses a hardcoded '/home/admin/.npm-global' path instead of dynamically resolving the user's home directory. This is unusual and could indicate developer oversight or testing artifact.
npmGlobal: '/home/admin/.npm-global/lib/node_modules/openclaw'
→ Replace with path.join(os.homedir(), '.npm-global/lib/node_modules/openclaw') or require OPENCLAW_HOME to be set
 src/index.js:24
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 src/index.js:46-49 reads ~/.openclaw/** and workspace/**
命令执行 WRITE WRITE ✓ 一致 src/index.js:58-62 uses execSync for find, grep, wc, du, ps, pgrep as declared
网络访问 NONE NONE No network calls found in src/index.js
环境变量 NONE READ ✓ 一致 src/index.js:14-19 reads OPTIMIZE_* env vars but does not exfiltrate
3 项发现
🔗
中危 外部 URL 外部 URL
https://docs.openclaw.ai/performance
SKILL.md:503
🔗
中危 外部 URL 外部 URL
https://docs.openclaw.ai/context-management
SKILL.md:504
🔗
中危 外部 URL 外部 URL
https://docs.openclaw.ai/skill-optimization
SKILL.md:505

目录结构

3 文件 · 27.9 KB · 1122 行
Markdown 2f · 603L JavaScript 1f · 519L
├─ 📁 src
│ └─ 📜 index.js JavaScript 519L · 15.5 KB
├─ 📝 README.md Markdown 91L · 1.9 KB
└─ 📝 SKILL.md Markdown 512L · 10.5 KB

安全亮点

✓ No network requests or data exfiltration detected
✓ No obfuscation (no base64, eval, or anti-analysis patterns)
✓ No credential harvesting or value extraction from .env files
✓ Shell commands limited to declared safe tools (find, grep, wc, du, ps, pgrep, df)
✓ Code is readable and auditable (519 lines, no obfuscation)
✓ No remote script execution (curl|bash, wget|sh)
✓ No supply chain risks detected (no package.json, no external dependencies beyond Node.js built-ins)