中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 45/100
Last scan:1 day ago Rescan
45 /100
hostlink
Execute commands on the host machine from inside the OpenClaw container via HostLink daemon
Skill provides documented but undeclared shell:WRITE access to the host system with no allowed-tools declaration, and HOSTLINK_TOKEN authentication credential is central to its operation without explicit handling warnings.
Skill Namehostlink
Duration33.9s
Enginepi
Use with caution
Add explicit allowed-tools declaration (shell:WRITE) and document security implications, including that HOSTLINK_TOKEN is a critical credential enabling root command execution on the host.

Findings 4 items

Severity Finding Location
Medium
No allowed-tools declaration despite full shell access Doc Mismatch
The skill's primary function is executing arbitrary shell commands on the host system, yet SKILL.md contains no 'allowed-tools' section. Users cannot determine the actual permissions being granted.
Execute commands on the host machine from inside the OpenClaw container via the HostLink daemon
→ Add an allowed-tools section declaring shell:WRITE permission
 SKILL.md:1
Medium
Root-level host command execution undeclared in security terms Priv Escalation
The skill can execute arbitrary commands as root on the host system. References/setup.md notes 'All commands run as the user hostlinkd is started as (typically root if using systemd).' This is a critical privilege escalation vector with no warnings in SKILL.md.
All commands run as the user hostlinkd is started as (typically root if using systemd)
→ Add prominent security warnings about root privilege escalation risk
 references/setup.md:92
Medium
HOSTLINK_TOKEN critical credential without handling guidance Credential Theft
The HOSTLINK_TOKEN is the sole authentication mechanism enabling arbitrary command execution on the host. It functions like a password or API key, yet SKILL.md provides no guidance on protecting it or warning that it should not be logged or exposed.
HOSTLINK_TOKEN | Auth token | (required)
→ Add credential handling guidelines; warn against logging or exposing the token
 SKILL.md:17
Low
Documents access to sensitive host paths Sensitive Access
The skill documents access to potentially sensitive paths on the host: ~/.cache/huggingface/hub, Docker socket/management, and arbitrary home directory contents. No guidance on what should not be accessed.
hostlink exec 'ls ~/.cache/huggingface/hub'
→ Document which host paths should be considered off-limits
 SKILL.md:38
ResourceDeclaredInferredStatusEvidence
Shell NONE WRITE ✗ Violation SKILL.md:1 - All examples use 'hostlink exec' for arbitrary shell commands
Filesystem NONE READ ✗ Violation SKILL.md:35-36 - Documents 'hostlink exec ls /home/jebadiah/projects', 'cat /etc…
Environment NONE READ ✗ Violation SKILL.md:24 - Documents 'hostlink -e MY_VAR=value' for setting env vars, which i…
Network NONE READ ✗ Violation SKILL.md:8 - Supports TCP/WireGuard remote access; references external connectio…

File Tree

2 files · 7.2 KB · 270 lines
Markdown 2f · 270L
├─ 📁 references
│ └─ 📝 setup.md Markdown 140L · 3.3 KB
└─ 📝 SKILL.md Markdown 130L · 3.9 KB

Security Positives

✓ Skill has comprehensive documentation of its capabilities and architecture
✓ Authentication mechanism (token-based) is documented
✓ Uses Unix socket by default (local-only without TCP exposure)
✓ Exit codes are well-defined for error handling
✓ Includes troubleshooting guidance for common issues