中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
crustacean-email-gateway
Register an OpenClaw identity with Crustacean Email Gateway, recover lost bearer tokens, manage mailbox/inbox/outbox, update message status, configure forwarding, and send outbound email through the API.
Legitimate email gateway skill for OpenClaw/Crustacean with no malicious behavior; minor doc gap around openssl subprocess but functionally transparent.
技能名称crustacean-email-gateway
分析耗时55.7s
引擎pi
可以安装
Approve for use. Consider documenting the openssl subprocess dependency in SKILL.md for completeness.

安全发现 1 项

严重性 安全发现 位置
低危
Subprocess/openssl not declared in SKILL.md capabilities 文档欺骗
common.py invokes 'openssl' via subprocess for cryptographic signing. SKILL.md does not list shell execution or the openssl dependency in its capability model. The registration contract describes the signing requirement but capability declarations omit this detail.
subprocess.run(['openssl', 'dgst', '-sha256', '-sign', key_path], input=message, capture_output=True, check=False)
→ Add 'shell:WRITE' to allowed-tools mapping in SKILL.md, or move signing to a pure-Python crypto library (e.g., cryptography.Hazmat) to eliminate subprocess dependency.
 scripts/common.py:118
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 common.py reads ~/.openclaw/identity/device.json and ~/.crustacean-email/token.j…
文件系统 NONE WRITE ✓ 一致 common.py save_token() writes token JSON to CRUSTACEAN_TOKEN_PATH; declared in S…
网络访问 READ WRITE ✓ 一致 All API calls via urllib (POST /register, /recover, /send, GET /mailbox, /inbox,…
命令执行 NONE WRITE ✓ 一致 common.py line 118: subprocess.run(['openssl', 'dgst', '-sha256', '-sign', key_p…
环境变量 NONE READ ✓ 一致 common.py reads CRUSTACEAN_API_BASE, OPENCLAW_IDENTITY_PATH, CRUSTACEAN_TOKEN_PA…
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.crustacean.email/api/v1
README.md:43

目录结构

14 文件 · 45.1 KB · 1395 行
Python 9f · 828L Markdown 4f · 564L YAML 1f · 3L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 3L · 194 B
├─ 📁 references
│ ├─ 📝 api.md Markdown 242L · 5.9 KB
│ └─ 📝 examples.md Markdown 141L · 4.0 KB
├─ 📁 scripts
│ ├─ 🐍 common.py Python 257L · 8.2 KB
│ ├─ 🐍 configure_forwarding.py Python 63L · 2.2 KB
│ ├─ 🐍 get_inbox.py Python 72L · 2.5 KB
│ ├─ 🐍 get_mailbox.py Python 43L · 1.3 KB
│ ├─ 🐍 get_outbox.py Python 76L · 2.6 KB
│ ├─ 🔑 recover_token.py Python 102L · 3.2 KB
│ ├─ 🐍 register_mailbox.py Python 103L · 3.3 KB
│ ├─ 🐍 send_message.py Python 68L · 2.5 KB
│ └─ 🐍 update_message_status.py Python 44L · 1.4 KB
├─ 📝 README.md Markdown 65L · 2.4 KB
└─ 📝 SKILL.md Markdown 116L · 5.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
python-standard-library built-in stdlib Only stdlib used: argparse, base64, hashlib, json, os, pathlib, subprocess, sys, tempfile, urllib — no third-party packages

安全亮点

✓ All network requests target a single documented domain: api.crustacean.email
✓ No credential harvesting from os.environ — only skill-specific env vars (CRUSTACEAN_API_BASE, OPENCLAW_IDENTITY_PATH, CRUSTACEAN_TOKEN_PATH)
✓ No access to sensitive paths (~/.ssh, ~/.aws/credentials, .env, etc.)
✓ No base64-encoded execution, no eval(), no obfuscation
✓ No reverse shell, C2 communication, or data exfiltration to third-party endpoints
✓ subprocess used only for legitimate cryptographic signing (openssl dgst), not for arbitrary command execution
✓ PoW + signature challenge-response provides cryptographic proof of identity; tokens stored locally, not exfiltrated
✓ Well-documented API contract with explicit rate limits and clear behavior rules
✓ No external dependencies with unpinned versions — only Python standard library used