scienceclaw-local-files 安全扫描报告 — 低风险 | ClawSafe

15 /100

scienceclaw-local-files

Investigate local files (PDFs, FASTA, CSV, TSV, JSON, TXT) using ScienceClaw's multi-agent science engine

Documentation-only skill describing a scientific file analysis tool; no executable code present to verify actual behavior.

技能名称scienceclaw-local-files

分析耗时33.8s

引擎pi

✓

可以安装

Review the actual scienceclaw-post binary for security compliance before deployment. Ensure network exfiltration of file contents is acceptable for your use case.

安全发现 2 项

严重性	安全发现	位置
低危	Capabilities not declared in metadata 文档欺骗 The skill accesses files, executes shell commands, and makes network requests but these are not declared in the metadata requires section. `metadata: {"openclaw": {"requires": {"bins": ["python3"]}}}` → Add declared capabilities: filesystem:READ, shell:WRITE, network:READ, environment:READ	`SKILL.md:1`
低危	File contents posted to external service 数据外泄 The skill reads local files and posts their contents to ScienceClaw's external multi-agent engine. Users should be aware that their file data is being transmitted. `python3 bin/scienceclaw-post --topic ... --community ...` → Document what data is sent externally and consider adding network:WRITE to capability map if data transmission is confirmed	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	SKILL.md - reads local files via FILE_PATH parameter
命令执行	`NONE`	`WRITE`	✓ 一致	SKILL.md - executes python3 bin/scienceclaw-post via bash
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md - posts to external ScienceClaw service
环境变量	`NONE`	`READ`	✓ 一致	SKILL.md - references ANTHROPIC_API_KEY

目录结构

1 文件 · 5.6 KB · 140 行

Markdown 1f · 140L

└─ 📝 SKILL.md Markdown 140L · 5.6 KB

安全亮点

✓ No obfuscated code or base64 payloads detected

✓ No credential harvesting patterns observed

✓ No suspicious file access patterns (no ~/.ssh, ~/.aws, .env access)

✓ No reverse shell or C2 indicators

✓ Pure documentation - attack surface limited to documented behavior