per-agent-compression-universal 安全扫描报告 — 低风险 | ClawSafe

15 /100

per-agent-compression-universal

Zero-config memory consolidation for multi-agent OpenClaw deployments. Auto-discovers agents and registers staggered cron tasks with full state tracking, deduplication, and domain-aware extraction.

Legitimate OpenClaw memory consolidation skill with minor documentation inconsistencies but no malicious behavior or hidden functionality.

技能名称per-agent-compression-universal

分析耗时77.7s

引擎pi

✓

可以安装

Approve for use. No malicious behavior detected. Address minor version mismatch between SKILL.md and README.md headers before production release.

安全发现 4 项

严重性	安全发现	位置
低危	Version header mismatch 文档欺骗 SKILL.md frontmatter declares version '1.4.0' but the README.md Chinese section header at line 1 states '版本: 1.2.2'. This is a documentation inconsistency with no security impact. `版本: 1.2.2` → Synchronize all version headers across SKILL.md, README.md, skill.json, and CHANGELOG.md before release.	`README.md:1`
低危	Incomplete capability declarations in SKILL.md frontmatter 文档欺骗 The capability list in SKILL.md frontmatter only includes generic categories (memory-consolidation, workspace-isolation) and does not mention shell execution, DingTalk delivery, or interactive prompts. While these are documented in body text, the frontmatter declaration is incomplete. `capabilities: [memory-consolidation, workspace-isolation, agent-auto-discovery, state-persistence, deduplication]` → Add explicit capability declarations for 'shell-execution', 'notification-delivery', and 'interactive-prompt' to the frontmatter capabilities list for full transparency.	`SKILL.md:1`
低危	No dependency pinning for binaries 供应链 The skill uses shell scripts with no version pins for external binaries (jq, git, curl). While skill.json declares openclaw and jq as binary dependencies, it does not specify minimum or exact versions. No pip/npm/Cargo dependencies are present. `"binaries": ["openclaw", "jq"]` → Add version constraints to skill.json, e.g., 'jq': '>=1.6', and note OpenClaw minimum version already declared as '>=2026.3.8'.	`skill.json:1`
提示	Interactive prompt security note 文档欺骗 install.sh prompts for DELIVERY_TO interactively if not provided as a CLI arg. The recipient ID (DingTalk user/bot) is read from stdin and embedded in cron task messages. This is expected behavior for a legitimate notification skill, not a credential theft risk. `read -p "Enter recipient ID (--to): " input_to` → Document clearly that DELIVERY_TO is a notification target ID, not a secret. Consider adding a confirmation prompt to reassure users.	`install.sh:33`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	install.sh:line 45 — 'openclaw cron add' with subprocess shell
文件系统	`NONE`	`WRITE`	✓ 一致	install.sh copies to /root/.openclaw/skills/; skill.json workspace file writes a…
网络访问	`NONE`	`READ`	✓ 一致	scripts/release.sh:176 fetches https://clawhub.com; SKILL.md:line 1 frontmatter …
技能调用	`NONE`	`WRITE`	✓ 一致	install.sh:line 93 — 'openclaw cron add --agent $agent_id' creates autonomous cr…

1 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.com

scripts/release.sh:176

目录结构

11 文件 · 95.3 KB · 2331 行

Markdown 5f · 1590L Shell 5f · 714L JSON 1f · 27L

├─ ▾ 📁 scripts

│ ├─ 🔧 release.sh Shell 334L · 11.1 KB

│ └─ 🔧 validate-bilingual.sh Shell 84L · 2.3 KB

├─ 📝 CHANGELOG.md Markdown 476L · 25.0 KB

├─ 🔧 install.sh Shell 195L · 11.2 KB

├─ 🔧 publish-github-release.sh Shell 77L · 2.7 KB

├─ 📝 README.md Markdown 676L · 26.5 KB

├─ 📝 SKILL_RELEASE_SOP.md Markdown 278L · 9.2 KB

├─ 📋 skill.json JSON 27L · 1.0 KB

├─ 📝 skill.md Markdown 58L · 2.6 KB

├─ 📝 SKILL.md Markdown 102L · 3.0 KB

└─ 🔧 uninstall.sh Shell 24L · 681 B

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`openclaw`	`>=2026.3.8`	system binary	否	Declared in skill.json; version constraint provided
`jq`	`*`	system binary	否	Declared in skill.json but no version constraint
`git`	`*`	system binary	否	Used in scripts/release.sh; not declared in skill.json

安全亮点

✓ No obfuscation detected — no base64, no eval(), no atob(), no obfuscated strings anywhere

✓ No hardcoded credentials, tokens, or API keys in any file

✓ No remote code execution via curl|bash or wget|sh patterns

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No reverse shell, C2 communication, or data exfiltration patterns

✓ Security scan in release.sh checks for hardcoded credentials, long numeric IDs, and config leakage

✓ DingTalk recipient ID is a CLI parameter (--to), not hardcoded — legitimate design

✓ CRITICAL PRIVACY REMEDIATION release (v1.3.2) explicitly addressed prior CHANGELOG sensitive reference leakage

✓ All shell operations are documented OpenClaw CLI tools (openclaw agents list, openclaw cron add/edit/delete, git, jq)

✓ Per-agent execution isolation confirmed — each cron task runs under its respective agent with minimal blast radius

✓ No suspicious external IPs or domains besides known clawhub.com (for publishing)