中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
Bobiverse Replicate
Purposeful Bobiverse-style replication for OpenClaw agents. Creates new peer-level agents only on explicit operator command with dry-run preview and nonce-backed confirmation.
A well-hardened replication runner with extensive safety controls; the only concern is that SKILL.md references subprocess/shell:WRITE execution without explicitly declaring it in the metadata header.
Skill NameBobiverse Replicate
Duration35.1s
Enginepi
Safe to install
Add 'shell:WRITE' to the allowed-tools mapping in SKILL.md frontmatter and document the subprocess call to `openclaw agents add` explicitly in the Safety and Permissions section to close the minor doc-to-code gap.

Findings 1 items

Severity Finding Location
Low
Subprocess/shell execution not explicitly declared in SKILL.md Doc Mismatch
SKILL.md's Safety and Permissions section says 'local OpenClaw CLI calls' and 'no network requests' but does not explicitly state that replicate_safe.py invokes subprocess.run to execute `openclaw agents add`. The SKILL.md frontmatter declares no allowed tools, creating an undocumented shell:WRITE dependency. The capability model maps Bash→shell:WRITE, which this script triggers via subprocess.
subprocess.run(['openclaw', 'agents', 'add', plan.agent_id, '--workspace', str(plan.clone_workspace)], check=True, shell=False)
→ Add 'shell:WRITE' to the skill's allowed-tools declaration in SKILL.md frontmatter and document the subprocess call explicitly in Safety and Permissions.
 scripts/replicate_safe.py:366
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned replicate_safe.py:366 — shutil.copytree + shutil.move writes clone to ~/.opencla…
Shell NONE WRITE ✓ Aligned replicate_safe.py:366 — subprocess.run(['openclaw','agents','add',...],shell=Fal…
Network NONE NONE No network calls in any script; clawhub.json confirms network: false
Environment NONE NONE No os.environ access in any script
credential NONE NONE No sensitive path or credential access
1 findings
🔗
Medium External URL 外部 URL
https://openclaw.ai
README.md:9

File Tree

16 files · 94.5 KB · 2317 lines
Markdown 13f · 1344L Python 2f · 951L JSON 1f · 22L
├─ 📁 docs
│ └─ 📝 bobiverse-primer.md Markdown 102L · 3.9 KB
├─ 📁 personality
│ ├─ 📝 AGENTS.md Markdown 76L · 2.9 KB
│ ├─ 📝 IDENTITY.md Markdown 15L · 384 B
│ ├─ 📝 MEMORY.md Markdown 52L · 2.6 KB
│ ├─ 📝 SOUL.md Markdown 72L · 5.0 KB
│ └─ 📝 USER.md Markdown 22L · 851 B
├─ 📁 scripts
│ ├─ 🐍 replicate_safe.py Python 429L · 15.0 KB
│ └─ 🐍 test_replicate_safe.py Python 522L · 20.4 KB
├─ 📝 ARCHITECTURE.md Markdown 199L · 8.1 KB
├─ 📋 clawhub.json JSON 22L · 1.5 KB
├─ 📝 CONTRIBUTING.md Markdown 124L · 4.7 KB
├─ 📝 LINEAGE.md Markdown 26L · 924 B
├─ 📝 README.md Markdown 249L · 8.7 KB
├─ 📝 SECURITY.md Markdown 58L · 2.4 KB
├─ 📝 SERIAL-NUMBER-SPEC.md Markdown 48L · 2.5 KB
└─ 📝 SKILL.md Markdown 301L · 14.7 KB

Security Positives

✓ subprocess.run uses shell=False with argument-list execution — no shell interpolation risk
✓ Strict input validation with regex allowlists for clone_id and agent_id (SERIAL_RE, AGENT_RE)
✓ Path boundary enforcement restricts all filesystem operations to ~/.openclaw/ tree via ensure_within_openclaw()
✓ Symlink rejection via ensure_no_symlinks() prevents traversal attacks
✓ Nonce-backed two-phase execution (dry-run → confirm token → execute) prevents accidental or unauthorized replication
✓ 15-minute TTL on pending approvals prevents replay attacks
✓ 24-hour cooldown between execute runs prevents rapid replication abuse
✓ Transaction-like staging (.replication-staging-* → move) with rollback on failure
✓ Comprehensive audit logging for all dry-run and execute events
✓ Workspace count check (≥10) warns operator before proceeding
✓ Full test coverage (522 lines of unit tests covering all security boundaries)
✓ No network requests, no credential access, no environment variable enumeration
✓ No obfuscation, no base64, no eval patterns
✓ SKILL.md clearly states explicit-trigger requirement, purpose requirement, and operator approval gates — matching actual behavior