中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
Bobiverse Replicate
Purposeful Bobiverse-style replication for OpenClaw agents. Creates new peer-level agents only on explicit operator command with dry-run preview and nonce-backed confirmation.
A well-hardened replication runner with extensive safety controls; the only concern is that SKILL.md references subprocess/shell:WRITE execution without explicitly declaring it in the metadata header.
技能名称Bobiverse Replicate
分析耗时35.1s
引擎pi
可以安装
Add 'shell:WRITE' to the allowed-tools mapping in SKILL.md frontmatter and document the subprocess call to `openclaw agents add` explicitly in the Safety and Permissions section to close the minor doc-to-code gap.

安全发现 1 项

严重性 安全发现 位置
低危
Subprocess/shell execution not explicitly declared in SKILL.md 文档欺骗
SKILL.md's Safety and Permissions section says 'local OpenClaw CLI calls' and 'no network requests' but does not explicitly state that replicate_safe.py invokes subprocess.run to execute `openclaw agents add`. The SKILL.md frontmatter declares no allowed tools, creating an undocumented shell:WRITE dependency. The capability model maps Bash→shell:WRITE, which this script triggers via subprocess.
subprocess.run(['openclaw', 'agents', 'add', plan.agent_id, '--workspace', str(plan.clone_workspace)], check=True, shell=False)
→ Add 'shell:WRITE' to the skill's allowed-tools declaration in SKILL.md frontmatter and document the subprocess call explicitly in Safety and Permissions.
 scripts/replicate_safe.py:366
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 replicate_safe.py:366 — shutil.copytree + shutil.move writes clone to ~/.opencla…
命令执行 NONE WRITE ✓ 一致 replicate_safe.py:366 — subprocess.run(['openclaw','agents','add',...],shell=Fal…
网络访问 NONE NONE No network calls in any script; clawhub.json confirms network: false
环境变量 NONE NONE No os.environ access in any script
凭据 NONE NONE No sensitive path or credential access
1 项发现
🔗
中危 外部 URL 外部 URL
https://openclaw.ai
README.md:9

目录结构

16 文件 · 94.5 KB · 2317 行
Markdown 13f · 1344L Python 2f · 951L JSON 1f · 22L
├─ 📁 docs
│ └─ 📝 bobiverse-primer.md Markdown 102L · 3.9 KB
├─ 📁 personality
│ ├─ 📝 AGENTS.md Markdown 76L · 2.9 KB
│ ├─ 📝 IDENTITY.md Markdown 15L · 384 B
│ ├─ 📝 MEMORY.md Markdown 52L · 2.6 KB
│ ├─ 📝 SOUL.md Markdown 72L · 5.0 KB
│ └─ 📝 USER.md Markdown 22L · 851 B
├─ 📁 scripts
│ ├─ 🐍 replicate_safe.py Python 429L · 15.0 KB
│ └─ 🐍 test_replicate_safe.py Python 522L · 20.4 KB
├─ 📝 ARCHITECTURE.md Markdown 199L · 8.1 KB
├─ 📋 clawhub.json JSON 22L · 1.5 KB
├─ 📝 CONTRIBUTING.md Markdown 124L · 4.7 KB
├─ 📝 LINEAGE.md Markdown 26L · 924 B
├─ 📝 README.md Markdown 249L · 8.7 KB
├─ 📝 SECURITY.md Markdown 58L · 2.4 KB
├─ 📝 SERIAL-NUMBER-SPEC.md Markdown 48L · 2.5 KB
└─ 📝 SKILL.md Markdown 301L · 14.7 KB

安全亮点

✓ subprocess.run uses shell=False with argument-list execution — no shell interpolation risk
✓ Strict input validation with regex allowlists for clone_id and agent_id (SERIAL_RE, AGENT_RE)
✓ Path boundary enforcement restricts all filesystem operations to ~/.openclaw/ tree via ensure_within_openclaw()
✓ Symlink rejection via ensure_no_symlinks() prevents traversal attacks
✓ Nonce-backed two-phase execution (dry-run → confirm token → execute) prevents accidental or unauthorized replication
✓ 15-minute TTL on pending approvals prevents replay attacks
✓ 24-hour cooldown between execute runs prevents rapid replication abuse
✓ Transaction-like staging (.replication-staging-* → move) with rollback on failure
✓ Comprehensive audit logging for all dry-run and execute events
✓ Workspace count check (≥10) warns operator before proceeding
✓ Full test coverage (522 lines of unit tests covering all security boundaries)
✓ No network requests, no credential access, no environment variable enumeration
✓ No obfuscation, no base64, no eval patterns
✓ SKILL.md clearly states explicit-trigger requirement, purpose requirement, and operator approval gates — matching actual behavior