file-transfer-thru-local-workspace 安全扫描报告 — 可疑 | ClawSafe

52 /100

file-transfer-thru-local-workspace

Local file upload/download service with skill browser for OpenClaw

Skill provides legitimate file transfer functionality but exhibits undisclosed credential harvesting behavior and hardcoded path vulnerability that exposes sensitive configuration data.

技能名称file-transfer-thru-local-workspace

分析耗时47.1s

引擎pi

⚠

谨慎使用

Review and sanitize the credential extraction logic. Remove hardcoded paths. Document why openclaw.json is accessed and clarify skill download security implications.

安全发现 4 项

严重性	安全发现	位置
高危	Undeclared credential file access 凭证窃取 Both install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract authentication tokens. This credential harvesting is not declared in SKILL.md or documented as a capability. `GATEWAY_TOKEN=$(grep -o '"token": "[^"]"' "${CONFIG_FILE}" ...)` → Document why openclaw.json is accessed. Consider using a service account instead of gateway credentials.	`install.sh:44`
高危	Hardcoded user path creates information disclosure 敏感访问 upload-server.js has a hardcoded path '/home/admin/.openclaw/' that bypasses the HOME environment variable. This can cause the skill to read the wrong user's configuration file if HOME is unset or different. `const configPath = path.join(process.env.HOME \|\| '/home/admin', '.openclaw/openclaw.json');` → Remove hardcoded path. Only use process.env.HOME and fail gracefully if not set.	`src/upload-server.js:31`
中危	Skill download exposes other skills' secrets 权限提升 The skill can enumerate and package all installed skill packages. Many skills contain API keys or credentials in their configs. Downloading all skills provides a credential aggregation attack vector. `const zip = spawn('zip', ['-r', zipPath, skillName, '-x', '/node_modules/'], ...)` → Implement permission checks for skill download. Warn users about credential exposure in skill packages.	`src/upload-server.js:200`
中危	Permissions mismatch between declared and actual 文档欺骗 package.json declares 'filesystem: [write:workspace, read:skills]' but the skill actually reads openclaw.json (credential file) which is outside declared scope. `"filesystem": ["write:workspace", "read:skills"]` → Update permissions to include 'read:config' or 'read:credentials' if accessing openclaw.json is intentional.	`package.json:26`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE (workspace only)`	`READ + WRITE`	✗ 越权	install.sh:44-45 reads openclaw.json, upload-server.js:31 has hardcoded /home/ad…
命令执行	`NONE`	`WRITE`	✗ 越权	upload-server.js:200 uses spawn('zip') for skill packaging
网络访问	`listen only`	`WRITE`	✗ 越权	Server binds to 0.0.0.0:15170 serving files to any client
环境变量	`NONE`	`READ`	✗ 越权	install.sh extracts HOME, reads openclaw.json, passes GATEWAY_AUTH_VALUE

1 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:15170/

SKILL.md:228

目录结构

7 文件 · 62.1 KB · 1904 行

HTML 1f · 688L JavaScript 1f · 511L Markdown 1f · 389L Shell 2f · 183L JSON 2f · 133L

├─ ▾ 📁 src

│ ├─ 📜 upload-server.js JavaScript 511L · 19.7 KB

│ └─ 📄 upload.html HTML 688L · 22.4 KB

├─ 📋 clawhub.json JSON 95L · 2.4 KB

├─ 🔧 install.sh Shell 138L · 5.1 KB

├─ 📋 package.json JSON 38L · 885 B

├─ 📝 SKILL.md Markdown 389L · 9.4 KB

└─ 🔧 uninstall.sh Shell 45L · 2.2 KB

安全亮点

✓ Token authentication protects the upload/download endpoints

✓ Path traversal protection using path.basename()

✓ Independent uploads/ directory isolates user files

✓ Systemd service creation provides proper Linux integration

✓ CORS headers configured for browser security