中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:1 天前 重新扫描
45 /100
hostlink
Execute commands on the host machine from inside the OpenClaw container via HostLink daemon
Skill provides documented but undeclared shell:WRITE access to the host system with no allowed-tools declaration, and HOSTLINK_TOKEN authentication credential is central to its operation without explicit handling warnings.
技能名称hostlink
分析耗时33.9s
引擎pi
谨慎使用
Add explicit allowed-tools declaration (shell:WRITE) and document security implications, including that HOSTLINK_TOKEN is a critical credential enabling root command execution on the host.

安全发现 4 项

严重性 安全发现 位置
中危
No allowed-tools declaration despite full shell access 文档欺骗
The skill's primary function is executing arbitrary shell commands on the host system, yet SKILL.md contains no 'allowed-tools' section. Users cannot determine the actual permissions being granted.
Execute commands on the host machine from inside the OpenClaw container via the HostLink daemon
→ Add an allowed-tools section declaring shell:WRITE permission
 SKILL.md:1
中危
Root-level host command execution undeclared in security terms 权限提升
The skill can execute arbitrary commands as root on the host system. References/setup.md notes 'All commands run as the user hostlinkd is started as (typically root if using systemd).' This is a critical privilege escalation vector with no warnings in SKILL.md.
All commands run as the user hostlinkd is started as (typically root if using systemd)
→ Add prominent security warnings about root privilege escalation risk
 references/setup.md:92
中危
HOSTLINK_TOKEN critical credential without handling guidance 凭证窃取
The HOSTLINK_TOKEN is the sole authentication mechanism enabling arbitrary command execution on the host. It functions like a password or API key, yet SKILL.md provides no guidance on protecting it or warning that it should not be logged or exposed.
HOSTLINK_TOKEN | Auth token | (required)
→ Add credential handling guidelines; warn against logging or exposing the token
 SKILL.md:17
低危
Documents access to sensitive host paths 敏感访问
The skill documents access to potentially sensitive paths on the host: ~/.cache/huggingface/hub, Docker socket/management, and arbitrary home directory contents. No guidance on what should not be accessed.
hostlink exec 'ls ~/.cache/huggingface/hub'
→ Document which host paths should be considered off-limits
 SKILL.md:38
资源类型声明权限推断权限状态证据
命令执行 NONE WRITE ✗ 越权 SKILL.md:1 - All examples use 'hostlink exec' for arbitrary shell commands
文件系统 NONE READ ✗ 越权 SKILL.md:35-36 - Documents 'hostlink exec ls /home/jebadiah/projects', 'cat /etc…
环境变量 NONE READ ✗ 越权 SKILL.md:24 - Documents 'hostlink -e MY_VAR=value' for setting env vars, which i…
网络访问 NONE READ ✗ 越权 SKILL.md:8 - Supports TCP/WireGuard remote access; references external connectio…

目录结构

2 文件 · 7.2 KB · 270 行
Markdown 2f · 270L
├─ 📁 references
│ └─ 📝 setup.md Markdown 140L · 3.3 KB
└─ 📝 SKILL.md Markdown 130L · 3.9 KB

安全亮点

✓ Skill has comprehensive documentation of its capabilities and architecture
✓ Authentication mechanism (token-based) is documented
✓ Uses Unix socket by default (local-only without TCP exposure)
✓ Exit codes are well-defined for error handling
✓ Includes troubleshooting guidance for common issues