clawtraces 安全扫描报告 — 低风险 | ClawSafe

20 /100

clawtraces

Scan local OpenClaw session logs, convert to Anthropic trajectory format, and submit to collection server

A legitimate data collection tool for OpenClaw sessions with transparent declared behavior, HTTPS communications, and user confirmation workflows. Minor concerns around regex-only PII scrubbing and external data submission, but no malicious indicators found.

技能名称clawtraces

分析耗时61.8s

引擎pi

✓

可以安装

Approve for use with standard precautions. Ensure api.shixiann.com privacy policy is reviewed before submitting personal workspace files. Consider adding structured PII detection (e.g., presidio) instead of regex-only scrubbing.

安全发现 3 项

严重性	安全发现	位置
低危	User conversation data and workspace files uploaded to external server 数据外泄 The skill submits trajectory files (containing full conversation history, system prompts, tool usage) and workspace config files (SOUL.md, USER.md, memory/) to api.shixiann.com. While this is declared, users should verify the server's privacy posture. `url = f"{server_url}/upload"` → Ensure api.shixiann.com has a publicly reviewed privacy policy. Users should understand what data leaves their machine before using this skill.	`scripts/submit.py, scripts/workspace_bundle.py:55`
低危	Regex-only PII scrubber with limited pattern coverage 敏感访问 pii_scrubber.py uses hardcoded regex patterns for phone numbers, emails, ID cards, bank cards, IPs, and API keys. Non-standard formats or domain-specific secrets (e.g., internal tokens, database passwords) will not be caught. `("手机号", re.compile(r"\+86\s*1[3-9]\d{9}(?!\d)"), "[PHONE]")` → Consider integrating a structured PII detection library (e.g., Microsoft Presidio) or expanding regex patterns to cover additional credential formats.	`scripts/lib/pii_scrubber.py:10`
低危	Workspace file upload scope is broader than session data 文档欺骗 Step 4.5 collects SOUL.md, USER.md, AGENTS.md, BOUL.md, HEARTBEAT.md, IDENTITY.md, TOOLS.md, memory/, cron/ and sessions.json. While declared in SKILL.md, the full content of workspace config files is broad and may include operational details not intended for sharing. `WORKSPACE_MD_FILES = ["SOUL.md", "USER.md", "TOOLS.md", "AGENTS.md", "BOOTSTRAP.md", "HEARTBEAT.md", "IDENTITY.md"]` → Clearly inform users what types of information are in these files before consent is requested.	`scripts/workspace_bundle.py:24`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares session scanning; session_index.py reads ~/.openclaw/*
网络访问	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares server submission; auth.py, submit.py POST to api.shixiann.com
命令执行	`READ`	`READ`	✓ 一致	SKILL.md declares openclaw gateway restart; env_check.py modifies ~/.openclaw/op…
环境变量	`READ`	`READ`	✓ 一致	OPENCLAW_STATE_DIR checked in workspace_bundle.py, session_index.py
技能调用	`WRITE`	`WRITE`	✓ 一致	This is the skill itself; self-invocation is core functionality
剪贴板	`NONE`	`NONE`	—	No clipboard access found in any script
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No direct database access; only file-based session storage read

4 项发现

🔗

中危外部 URL 外部 URL

https://api.shixiann.com

scripts/lib/auth.py:67

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai

scripts/lib/system_prompt_builder.py:693

🔗

中危外部 URL 外部 URL

https://discord.com/invite/clawd

scripts/lib/system_prompt_builder.py:695

🔗

中危外部 URL 外部 URL

https://clawhub.ai

scripts/lib/system_prompt_builder.py:696

目录结构

20 文件 · 181.0 KB · 4865 行

Python 19f · 4444L Markdown 1f · 421L

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 lib

│ │ ├─ 🐍 __init__.py Python 1L · 27 B

│ │ ├─ 🐍 auth.py Python 267L · 8.4 KB

│ │ ├─ 🐍 cache_trace.py Python 124L · 3.9 KB

│ │ ├─ 🐍 converter.py Python 317L · 10.6 KB

│ │ ├─ 🐍 dag.py Python 145L · 4.7 KB

│ │ ├─ 🐍 metadata_stripper.py Python 61L · 1.6 KB

│ │ ├─ 🐍 pii_scrubber.py Python 51L · 2.2 KB

│ │ ├─ 🐍 quality_checker.py Python 80L · 2.7 KB

│ │ ├─ 🐍 session_index.py Python 203L · 6.9 KB

│ │ ├─ 🐍 system_prompt_builder.py Python 848L · 35.1 KB

│ │ └─ 🐍 tool_registry.py Python 327L · 16.5 KB

│ ├─ 🐍 convert_to_openai.py Python 308L · 10.7 KB

│ ├─ 🐍 env_check.py Python 175L · 6.2 KB

│ ├─ 🐍 query.py Python 70L · 2.3 KB

│ ├─ 🐍 reasoning_stats.py Python 122L · 3.8 KB

│ ├─ 🐍 reject.py Python 96L · 3.1 KB

│ ├─ 🐍 scan_and_convert.py Python 534L · 20.3 KB

│ ├─ 🐍 submit.py Python 339L · 12.0 KB

│ └─ 🐍 workspace_bundle.py Python 376L · 12.6 KB

└─ 📝 SKILL.md Markdown 421L · 17.3 KB

安全亮点

✓ Full HTTPS/TLS implementation with bundled CA certificates and fallback chain

✓ SKILL.md is comprehensive and accurately describes all behavior

✓ Two-phase upload with mandatory user confirmation for workspace files (--bundle-only then --upload-only)

✓ PII scrubber is applied before workspace file upload with visible redaction statistics

✓ manifest.json tracks submitted/rejected sessions to prevent duplicate uploads

✓ No obfuscation, base64-encoded execution, or suspicious encoding patterns

✓ No credential harvesting from environment variables or sensitive paths like ~/.ssh or ~/.aws

✓ No reverse shell, C2, or data exfiltration to unknown IPs

✓ API key is user-specific (phone+SMS authentication) and stored locally only

✓ 401 responses automatically clear stored key and prompt re-authentication

✓ No curl|bash or direct shell command injection patterns found

✓ All dependencies are standard library (no third-party pip dependencies)

✓ openclaw gateway restart is declared in SKILL.md and necessary for config changes