agentcop 安全扫描报告 — 可疑 | ClawSafe

45 /100

agentcop

OWASP LLM Top 10 security monitor for OpenClaw — taint-checks messages, detects violations, alerts on policy breaches

AgentCop skill performs undeclared network communication to agentcop.live for badge API operations and uses an undeclared auto-install mechanism with loose version pinning.

技能名称agentcop

分析耗时65.9s

引擎pi

⚠

谨慎使用

1) Declare the agentcop.live badge API endpoint in SKILL.md. 2) Pin the agentcop package to a specific version (e.g., agentcop==0.4.2). 3) Consider removing the auto-install feature or documenting it prominently in SKILL.md. 4) Add filesystem:WRITE and network:WRITE to the allowed-tools declaration.

安全发现 4 项

严重性	安全发现	位置
中危	Undeclared network communication to agentcop.live 文档欺骗 Badge subcommands (generate, verify, renew, revoke, status, markdown) contact https://agentcop.live/badge API but this endpoint is not mentioned in SKILL.md. Users are not informed that badge operations involve external network requests. `_BADGE_API = os.environ.get("AGENTCOP_BADGE_API", "https://agentcop.live/badge")` → Add explicit documentation in SKILL.md stating that badge commands require network access to agentcop.live	`skill.py:756`
中危	Unpinned dependency with loose version constraint 供应链 The auto-install mechanism installs 'agentcop>=0.4,<1' which allows any 0.x version including potentially compromised future releases. `subprocess.run([sys.executable, "-m", "pip", "install", "--quiet", "agentcop>=0.4,<1"])` → Pin to a specific version: agentcop==0.4.2	`skill.py:52`
低危	Auto-install mechanism not documented in SKILL.md 文档欺骗 README.md mentions auto-install via pip, but SKILL.md (the primary skill documentation) does not mention this behavior, creating a documentation gap for users reviewing the skill. `Auto-install mechanism not mentioned in SKILL.md` → Document the pip auto-install behavior in SKILL.md or remove it entirely	`SKILL.md:1`
低危	Implicit filesystem write access not declared 权限提升 The skill writes state files to ~/.openclaw/agentcop/ (events.jsonl, sessions, identity.db) but does not declare filesystem:WRITE capability. `_STATE_DIR = Path(os.environ.get("AGENTCOP_STATE_DIR", Path.home() / ".openclaw" / "agentcop"))` → Declare filesystem:WRITE in skill metadata	`skill.py:57`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	skill.py:57-66 writes to _STATE_DIR
网络访问	`NONE`	`WRITE`	✗ 越权	skill.py:756-773 POSTs to agentcop.live/badge API
命令执行	`NONE`	`WRITE`	✗ 越权	skill.py:50-54 pip install via subprocess
环境变量	`NONE`	`READ`	✗ 越权	skill.py:60 reads OPENCLAW_AGENT_ID, AGENTCOP_BADGE_API, AGENTCOP_STATE_DIR

2 项发现

🔗

中危外部 URL 外部 URL

https://agentcop.live

README.md:78

🔗

中危外部 URL 外部 URL

https://agentcop.live/badge

skill.py:754

目录结构

4 文件 · 37.8 KB · 1125 行

Python 1f · 899L Markdown 2f · 203L JSON 1f · 23L

├─ 📋 package.json JSON 23L · 674 B

├─ 📝 README.md Markdown 85L · 2.5 KB

├─ 📝 SKILL.md Markdown 118L · 5.6 KB

└─ 🐍 skill.py Python 899L · 29.1 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`agentcop`	`>=0.4,<1`	pip	否	Loose version constraint allows any 0.x version - supply chain risk

安全亮点

✓ Credential detection patterns are used only for security scanning (LLM06), not exfiltration

✓ Base64 decoding includes safety checks (minimum 8 printable chars)

✓ README.md documents auto-install behavior

✓ SKILL.md provides comprehensive documentation of OWASP LLM Top 10 detection capabilities

✓ No evidence of actual credential theft or data exfiltration beyond declared security scanning

✓ Package.json includes proper metadata, authors, and license information

✓ Exit codes are properly documented