安全决策报告
file-transfer-thru-local-workspace
Skill provides legitimate file transfer functionality but exhibits undisclosed credential harvesting behavior and hardcoded path vulnerability that exposes sensitive configuration data.
最直接的威胁证据
高危 凭证窃取
Undeclared credential file access Both install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract authentication tokens. This credential harvesting is not declared in SKILL.md or documented as a capability.
install.sh:44 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared credential file access +20
install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract tokens - this is not declared in SKILL.md or package.json permissions
Hardcoded path vulnerability +15
upload-server.js line 31: hardcodes '/home/admin/.openclaw/' path, bypassing HOME env and potentially reading wrong user's config
Process environment credential exposure +10
install.sh passes GATEWAY_AUTH_VALUE as env var to node process, visible in process listing (ps eww)
Skill enumeration/download without security warning +7
Can enumerate and download all installed skills, potentially exposing API keys stored in other skills' configs
最关键的证据
高危 凭证窃取
Undeclared credential file access
Both install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract authentication tokens. This credential harvesting is not declared in SKILL.md or documented as a capability.
install.sh:44 Document why openclaw.json is accessed. Consider using a service account instead of gateway credentials.
高危 敏感访问
Hardcoded user path creates information disclosure
upload-server.js has a hardcoded path '/home/admin/.openclaw/' that bypasses the HOME environment variable. This can cause the skill to read the wrong user's configuration file if HOME is unset or different.
src/upload-server.js:31 Remove hardcoded path. Only use process.env.HOME and fail gracefully if not set.
中危 权限提升
Skill download exposes other skills' secrets
The skill can enumerate and package all installed skill packages. Many skills contain API keys or credentials in their configs. Downloading all skills provides a credential aggregation attack vector.
src/upload-server.js:200 Implement permission checks for skill download. Warn users about credential exposure in skill packages.
中危 文档欺骗
Permissions mismatch between declared and actual
package.json declares 'filesystem: [write:workspace, read:skills]' but the skill actually reads openclaw.json (credential file) which is outside declared scope.
package.json:26 Update permissions to include 'read:config' or 'read:credentials' if accessing openclaw.json is intentional.
声明能力 vs 实际能力
文件系统 阻止
声明 WRITE (workspace only)
→ 推断 READ + WRITE
install.sh:44-45 reads openclaw.json, upload-server.js:31 has hardcoded /home/admin path 命令执行 阻止
声明 NONE
→ 推断 WRITE
upload-server.js:200 uses spawn('zip') for skill packaging 网络访问 阻止
声明 listen only
→ 推断 WRITE
Server binds to 0.0.0.0:15170 serving files to any client 环境变量 阻止
声明 NONE
→ 推断 READ
install.sh extracts HOME, reads openclaw.json, passes GATEWAY_AUTH_VALUE 可疑产物与外联
中危 外部 URL
http://127.0.0.1:15170/ SKILL.md:228
依赖与供应链
没有结构化依赖告警。
文件构成
7 个文件 · 1904 行
HTML 1 个文件 · 688 行JavaScript 1 个文件 · 511 行Markdown 1 个文件 · 389 行Shell 2 个文件 · 183 行JSON 2 个文件 · 133 行
需关注文件 · 4
src/upload-server.js Hardcoded user path creates information disclosure · Skill download exposes other skills' secrets
SKILL.md http://127.0.0.1:15170/
install.sh Undeclared credential file access
package.json Permissions mismatch between declared and actual
其他文件 · upload.html · clawhub.json · uninstall.sh
安全亮点
Token authentication protects the upload/download endpoints
Path traversal protection using path.basename()
Independent uploads/ directory isolates user files
Systemd service creation provides proper Linux integration
CORS headers configured for browser security