中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
openclaw-grok-search
Cross-platform real-time web research and search via an OpenAI-compatible Grok endpoint
Legitimate web research tool with minor documentation gap - subprocess usage for interactive config setup is not explicitly declared but is described in Quick Start documentation.
技能名称openclaw-grok-search
分析耗时29.1s
引擎pi
可以安装
Consider adding 'subprocess' to allowed-tools mapping in SKILL.md if shell execution capability is intended. Otherwise no security concerns.

安全发现 2 项

严重性 安全发现 位置
低危
Subprocess execution not declared in allowed-tools 文档欺骗
The skill uses subprocess.run to invoke configure.py for interactive setup, but shell:WRITE is not declared in the allowed-tools mapping. While documented in Quick Start section, it creates ambiguity about intended permissions.
run([sys.executable, configure_path], check=True)
→ Add 'Bash→shell:WRITE' to allowed-tools mapping if subprocess is intentional, or refactor to avoid shell access.
 scripts/grok_search.py:85
低危
Config file with API key present in package 敏感访问
config.json contains a live API key. While this is user-configured credentials rather than harvested data, embedding real credentials in the package is a distribution risk.
"api_key": "sk-cp-Ck3CeOG..."
→ Use config.example.json as template and ensure config.json is in .gitignore before distributing.
 config.json:2
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 urllib.request.Request POST to Grok endpoint
命令执行 NONE WRITE ✓ 一致 scripts/grok_search.py:85 - subprocess.run([sys.executable, configure_path])
文件系统 NONE READ ✓ 一致 config.json reading via _load_json_file
文件系统 NONE WRITE ✓ 一致 scripts/configure.py:65 - write_text to config.json
5 项发现
🔗
中危 外部 URL 外部 URL
https://your-grok-endpoint.example
README.md:84
🔗
中危 外部 URL 外部 URL
https://ai.huan666.de/register?aff=eB8Z
README.md:114
🔗
中危 外部 URL 外部 URL
https://linux.do/t/topic/1627339
README.md:120
🔗
中危 外部 URL 外部 URL
https://ai.huan666.de
config.json:2
📧
提示 邮箱 邮箱地址
[email protected]
README.md:149

目录结构

6 文件 · 24.3 KB · 789 行
Python 2f · 551L Markdown 2f · 220L JSON 2f · 18L
├─ 📁 scripts
│ ├─ 🐍 configure.py Python 80L · 2.4 KB
│ └─ 🐍 grok_search.py Python 471L · 15.2 KB
├─ 📋 config.example.json JSON 10L · 246 B
├─ 🔑 config.json JSON 8L · 281 B
├─ 📝 README.md Markdown 153L · 4.3 KB
└─ 📝 SKILL.md Markdown 67L · 1.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
None (standard library only) N/A stdlib No external dependencies

安全亮点

✓ No credential harvesting - API key is user-provided configuration
✓ No data exfiltration - all network traffic is to the configured Grok endpoint only
✓ No obfuscation - all code is readable plaintext Python
✓ No reverse shell or C2 infrastructure
✓ No hidden instructions in comments or documentation
✓ No supply chain risks - only standard library dependencies used
✓ HTTP behavior matches documentation (OpenAI-compatible API calls)