agent-kanban 安全扫描报告 — 低风险 | ClawSafe

20 /100

agent-kanban

OpenClaw Agent Dashboard - Bloomberg Terminal-style web interface for real-time monitoring of all Agent status, session history, and session file sizes.

Skill implements a legitimate local agent dashboard but contains a hardcoded Gateway token in config.js and misleading documentation claiming auto-token loading.

技能名称agent-kanban

分析耗时40.1s

引擎pi

✓

可以安装

Remove the hardcoded token from config.js, ensure it defaults to empty string, and fix SKILL.md to accurately reflect that config.local.js must be manually configured.

安全发现 4 项

严重性	安全发现	位置
中危	Hardcoded Gateway token in config.js A Gateway authentication token is hardcoded in assets/agent-kanban/config.js line 24. This credential should not be committed to source control. If this config file is distributed as part of the skill package, the token will be exposed to all recipients. `token: 'c80aa67f773b3045792ba7afbf2e22fc09cb7b37c63019e3'` → Set token to empty string '' as default, and document clearly that users must fill in their own token via config.local.js.	`assets/agent-kanban/config.js:24`
低危	SKILL.md misleading claim about auto-token loading SKILL.md states 'Gateway Token is auto-loaded from ~/.openclaw/openclaw.json — no manual configuration required!' This is misleading. While the code does read openclaw.json for heartbeat config, the Gateway token in config.gateway.token must still be manually configured or overridden via config.local.js. Gateway Token is auto-loaded from `~/.openclaw/openclaw.json` - no manual configuration required! → Update SKILL.md to clarify that config.local.js must be created with a valid token, and that token auto-loading is for heartbeat config only.	`SKILL.md:37`
低危	config.local.js not gitignored config.local.js (the intended user override file) is not listed in a .gitignore, increasing the risk of accidentally committing user credentials. `# Edit config.local.js if needed` → Add .gitignore with 'config.local.js' to prevent credential leaks.	`references/README.md:66`
提示	CORS allows wildcard origin server.js sets Access-Control-Allow-Origin to '', which is overly permissive. However, since the server only binds to localhost and the Gateway API is also localhost-only, the practical risk is minimal. `res.header('Access-Control-Allow-Origin', '');` → Consider restricting CORS to 'http://localhost:3100' for defense in depth.	`assets/agent-kanban/server.js:48`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	server.js reads openclaw.json and workspace-* directories for agent metadata and…
网络访问	`NONE`	`READ`	✓ 一致	server.js makes outbound POST requests to Gateway HTTP API at 127.0.0.1:18789 on…
命令执行	`NONE`	`NONE`	—	No child_process or shell invocation in server.js or index.html
环境变量	`NONE`	`READ`	✓ 一致	server.js reads HOME env var to resolve openclaw home directory

6 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:18789

SKILL.md:72

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/react/18/files/umd/react.production.min.js

assets/agent-kanban/public/index.html:411

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/react-dom/18/files/umd/react-dom.production.min.js

assets/agent-kanban/public/index.html:412

🔗

中危外部 URL 外部 URL

https://api.dicebear.com/7.x/pixel-art/svg?seed=$

assets/agent-kanban/public/index.html:434

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/style-Bloomberg%20Terminal-orange

references/README.md:5

🔗

中危外部 URL 外部 URL

http://127.0.0.1:18789/tools/invoke

references/README.md:139

目录结构

6 文件 · 56.5 KB · 1863 行

HTML 1f · 1098L Markdown 2f · 403L JavaScript 2f · 350L JSON 1f · 12L

├─ ▾ 📁 assets

│ └─ ▾ 📁 agent-kanban

│ ├─ ▾ 📁 public

│ │ └─ 📄 index.html HTML 1098L · 36.2 KB

│ ├─ 📜 config.js JavaScript 51L · 1.2 KB

│ ├─ 📋 package.json JSON 12L · 271 B

│ └─ 📜 server.js JavaScript 299L · 8.8 KB

├─ ▾ 📁 references

│ └─ 📝 README.md Markdown 198L · 4.3 KB

└─ 📝 SKILL.md Markdown 205L · 5.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`express`	`^4.18.2`	npm	否	Express 4.x with no specific version pinning

安全亮点

✓ No shell execution or child_process usage anywhere in the codebase

✓ No base64 encoding, eval(), or dynamic code execution patterns detected

✓ No remote script download patterns (curl|bash, wget|sh) found

✓ No credential enumeration (no iteration over os.environ for sensitive keys)

✓ No access to ~/.ssh, ~/.aws, or other high-value sensitive paths

✓ No data exfiltration or external IP communication (all network traffic is local to 127.0.0.1)

✓ Frontend assets served locally; external CDN URLs are only for React libraries and avatar generation

✓ Express server binds to localhost by default, not exposed externally