中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
agent-link
智能体互联技能 - 支持不同电脑上的 OpenClaw 实例和 Agent 通过中转服务器进行安全可靠的通讯
A legitimate cross-device agent relay system with no malicious code present; the relay_server.py implements straightforward WebSocket message forwarding with HMAC-SHA256 signing, but documentation references missing files (local-agent component) creating doc-to-implementation gaps.
技能名称agent-link
分析耗时32.1s
引擎pi
可以安装
Create the missing scripts/local-agent/ directory with agent_link.py and docs/install-agent.md to match the documented architecture, or update docs to accurately reflect the shipped files.

安全发现 3 项

严重性 安全发现 位置
低危
Documented local-agent component is missing 文档欺骗
SKILL.md and README.md both reference scripts/local-agent/agent_link.py and docs/install-agent.md as part of the skill's shipped files, but these files do not exist in the package. Users following the installation guide will encounter missing files.
cd skills/agent-link/scripts/local-agent
→ Either create the missing local-agent implementation files or remove references to them from documentation.
 SKILL.md:72
低危
install-agent.md referenced but not present 文档欺骗
README.md references docs/install-agent.md as a link in the file structure, but this file does not exist in the docs/ directory.
└── install-agent.md                # 本地 Agent 安装说明
→ Create docs/install-agent.md or remove this reference from README.md.
 README.md:60
提示
websockets dependency not pinned in code 供应链
relay_server.py imports websockets but relies on pip install websockets without version pinning. The dependency is not listed in a requirements.txt or pyproject.toml file.
import websockets
→ Add a requirements.txt with websockets pinned to a specific version (e.g., websockets>=10.0).
 scripts/relay-server/relay_server.py:8
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 relay_server.py:157 — websockets.serve on 0.0.0.0:port for inbound relay connect…
文件系统 READ READ ✓ 一致 relay_server.py:193 — reads JSON config file via --config argument
命令执行 NONE NONE No subprocess, os.system, or shell execution found in relay_server.py
环境变量 NONE NONE No os.environ iteration or environment variable access in the codebase
技能调用 NONE NONE No skill invocation or inter-agent call mechanisms present

目录结构

6 文件 · 21.5 KB · 910 行
Markdown 3f · 634L Python 1f · 249L JSON 2f · 27L
├─ 📁 docs
│ └─ 📝 install-relay.md Markdown 185L · 3.3 KB
├─ 📁 scripts
│ └─ 📁 relay-server
│ ├─ 🐍 relay_server.py Python 249L · 7.8 KB
│ └─ 📋 relay-config.example.json JSON 18L · 426 B
├─ 📋 _meta.json JSON 9L · 348 B
├─ 📝 README.md Markdown 219L · 4.9 KB
└─ 📝 SKILL.md Markdown 230L · 4.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
websockets * pip Not pinned in requirements file; imported dynamically at runtime

安全亮点

✓ No base64-encoded execution, eval(), or obfuscation techniques found
✓ No credential harvesting or environment variable enumeration detected
✓ No network exfiltration or C2 communication patterns present
✓ No curl|bash or wget|sh remote script execution patterns
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, or .env files
✓ No persistence mechanisms (cron, startup hooks, systemd units) in code
✓ HMAC-SHA256 signature verification is implemented correctly
✓ Message history deduplication prevents replay attacks
✓ Clean, readable Python implementation with no suspicious code paths
✓ No hardcoded external IPs or suspicious network destinations