中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 52/100
Last scan:1 day ago Rescan
52 /100
file-transfer-thru-local-workspace
Local file upload/download service with skill browser for OpenClaw
Skill provides legitimate file transfer functionality but exhibits undisclosed credential harvesting behavior and hardcoded path vulnerability that exposes sensitive configuration data.
Skill Namefile-transfer-thru-local-workspace
Duration47.1s
Enginepi
Use with caution
Review and sanitize the credential extraction logic. Remove hardcoded paths. Document why openclaw.json is accessed and clarify skill download security implications.

Findings 4 items

Severity Finding Location
High
Undeclared credential file access Credential Theft
Both install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract authentication tokens. This credential harvesting is not declared in SKILL.md or documented as a capability.
GATEWAY_TOKEN=$(grep -o '"token": *"[^"]*"' "${CONFIG_FILE}" ...)
→ Document why openclaw.json is accessed. Consider using a service account instead of gateway credentials.
 install.sh:44
High
Hardcoded user path creates information disclosure Sensitive Access
upload-server.js has a hardcoded path '/home/admin/.openclaw/' that bypasses the HOME environment variable. This can cause the skill to read the wrong user's configuration file if HOME is unset or different.
const configPath = path.join(process.env.HOME || '/home/admin', '.openclaw/openclaw.json');
→ Remove hardcoded path. Only use process.env.HOME and fail gracefully if not set.
 src/upload-server.js:31
Medium
Skill download exposes other skills' secrets Priv Escalation
The skill can enumerate and package all installed skill packages. Many skills contain API keys or credentials in their configs. Downloading all skills provides a credential aggregation attack vector.
const zip = spawn('zip', ['-r', zipPath, skillName, '-x', '*/node_modules/*'], ...)
→ Implement permission checks for skill download. Warn users about credential exposure in skill packages.
 src/upload-server.js:200
Medium
Permissions mismatch between declared and actual Doc Mismatch
package.json declares 'filesystem: [write:workspace, read:skills]' but the skill actually reads openclaw.json (credential file) which is outside declared scope.
"filesystem": ["write:workspace", "read:skills"]
→ Update permissions to include 'read:config' or 'read:credentials' if accessing openclaw.json is intentional.
 package.json:26
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE (workspace only) READ + WRITE ✗ Violation install.sh:44-45 reads openclaw.json, upload-server.js:31 has hardcoded /home/ad…
Shell NONE WRITE ✗ Violation upload-server.js:200 uses spawn('zip') for skill packaging
Network listen only WRITE ✗ Violation Server binds to 0.0.0.0:15170 serving files to any client
Environment NONE READ ✗ Violation install.sh extracts HOME, reads openclaw.json, passes GATEWAY_AUTH_VALUE
1 findings
🔗
Medium External URL 外部 URL
http://127.0.0.1:15170/
SKILL.md:228

File Tree

7 files · 62.1 KB · 1904 lines
HTML 1f · 688L JavaScript 1f · 511L Markdown 1f · 389L Shell 2f · 183L JSON 2f · 133L
├─ 📁 src
│ ├─ 📜 upload-server.js JavaScript 511L · 19.7 KB
│ └─ 📄 upload.html HTML 688L · 22.4 KB
├─ 📋 clawhub.json JSON 95L · 2.4 KB
├─ 🔧 install.sh Shell 138L · 5.1 KB
├─ 📋 package.json JSON 38L · 885 B
├─ 📝 SKILL.md Markdown 389L · 9.4 KB
└─ 🔧 uninstall.sh Shell 45L · 2.2 KB

Security Positives

✓ Token authentication protects the upload/download endpoints
✓ Path traversal protection using path.basename()
✓ Independent uploads/ directory isolates user files
✓ Systemd service creation provides proper Linux integration
✓ CORS headers configured for browser security