agentcop Security Report — Suspicious | ClawSafe

45 /100

agentcop

OWASP LLM Top 10 security monitor for OpenClaw — taint-checks messages, detects violations, alerts on policy breaches

AgentCop skill performs undeclared network communication to agentcop.live for badge API operations and uses an undeclared auto-install mechanism with loose version pinning.

Skill Nameagentcop

Duration65.9s

Enginepi

⚠

Use with caution

1) Declare the agentcop.live badge API endpoint in SKILL.md. 2) Pin the agentcop package to a specific version (e.g., agentcop==0.4.2). 3) Consider removing the auto-install feature or documenting it prominently in SKILL.md. 4) Add filesystem:WRITE and network:WRITE to the allowed-tools declaration.

Findings 4 items

Severity	Finding	Location
Medium	Undeclared network communication to agentcop.live Doc Mismatch Badge subcommands (generate, verify, renew, revoke, status, markdown) contact https://agentcop.live/badge API but this endpoint is not mentioned in SKILL.md. Users are not informed that badge operations involve external network requests. `_BADGE_API = os.environ.get("AGENTCOP_BADGE_API", "https://agentcop.live/badge")` → Add explicit documentation in SKILL.md stating that badge commands require network access to agentcop.live	`skill.py:756`
Medium	Unpinned dependency with loose version constraint Supply Chain The auto-install mechanism installs 'agentcop>=0.4,<1' which allows any 0.x version including potentially compromised future releases. `subprocess.run([sys.executable, "-m", "pip", "install", "--quiet", "agentcop>=0.4,<1"])` → Pin to a specific version: agentcop==0.4.2	`skill.py:52`
Low	Auto-install mechanism not documented in SKILL.md Doc Mismatch README.md mentions auto-install via pip, but SKILL.md (the primary skill documentation) does not mention this behavior, creating a documentation gap for users reviewing the skill. `Auto-install mechanism not mentioned in SKILL.md` → Document the pip auto-install behavior in SKILL.md or remove it entirely	`SKILL.md:1`
Low	Implicit filesystem write access not declared Priv Escalation The skill writes state files to ~/.openclaw/agentcop/ (events.jsonl, sessions, identity.db) but does not declare filesystem:WRITE capability. `_STATE_DIR = Path(os.environ.get("AGENTCOP_STATE_DIR", Path.home() / ".openclaw" / "agentcop"))` → Declare filesystem:WRITE in skill metadata	`skill.py:57`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	skill.py:57-66 writes to _STATE_DIR
Network	`NONE`	`WRITE`	✗ Violation	skill.py:756-773 POSTs to agentcop.live/badge API
Shell	`NONE`	`WRITE`	✗ Violation	skill.py:50-54 pip install via subprocess
Environment	`NONE`	`READ`	✗ Violation	skill.py:60 reads OPENCLAW_AGENT_ID, AGENTCOP_BADGE_API, AGENTCOP_STATE_DIR

2 findings

🔗

Medium External URL 外部 URL

https://agentcop.live

README.md:78

🔗

Medium External URL 外部 URL

https://agentcop.live/badge

skill.py:754

File Tree

4 files · 37.8 KB · 1125 lines

Python 1f · 899L Markdown 2f · 203L JSON 1f · 23L

├─ 📋 package.json JSON 23L · 674 B

├─ 📝 README.md Markdown 85L · 2.5 KB

├─ 📝 SKILL.md Markdown 118L · 5.6 KB

└─ 🐍 skill.py Python 899L · 29.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`agentcop`	`>=0.4,<1`	pip	No	Loose version constraint allows any 0.x version - supply chain risk

Security Positives

✓ Credential detection patterns are used only for security scanning (LLM06), not exfiltration

✓ Base64 decoding includes safety checks (minimum 8 printable chars)

✓ README.md documents auto-install behavior

✓ SKILL.md provides comprehensive documentation of OWASP LLM Top 10 detection capabilities

✓ No evidence of actual credential theft or data exfiltration beyond declared security scanning

✓ Package.json includes proper metadata, authors, and license information

✓ Exit codes are properly documented

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives