Skill Trust Decision
evermind-ai-everos
EverOS OpenClaw记忆插件存在文档-行为差异(SKILL.md未声明配置文件读写和shell执行),但实际功能为合法的OpenClaw插件安装,网络通信仅限本地backend,无恶意凭证收割或数据外泄。
Most direct threat evidence
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
文档-行为差异 +15
SKILL.md声明NONE但代码实际修改~/.openclaw/openclaw.json和执行shell命令
权限声明不完整 +8
network:READ/WRITE(本地backend)、shell:WRITE(gateway restart)、filesystem:WRITE(配置读写)均未在SKILL.md声明
文档中的危险Shell命令 +5
README.md:70包含curl|sh远程脚本执行,但属部署说明非代码行为
正向因素抵消 +-10
无凭证收割、无数据外泄、代码逻辑清晰、仅本地通信
依赖安全 +-5
仅用Node.js内置模块,无第三方依赖风险
Most important evidence
Medium Doc Mismatch
SKILL.md未声明配置文件读写权限
SKILL.md声明filesystem能力为NONE,但bin/install.js实际读写~/.openclaw/openclaw.json并复制插件文件到~/.openclaw/plugins/目录。这是典型的文档-行为差异(shadow capability),占比73.2%恶意skill的特征。
bin/install.js:167 在SKILL.md的Onboarding章节明确声明:本技能需要写入~/.openclaw/openclaw.json配置文件
Medium Doc Mismatch
SKILL.md未声明shell执行权限
SKILL.md声明shell能力为NONE,但bin/install.js执行'exopenclaw gateway restart'重启OpenClaw网关。
bin/install.js:222 在SKILL.md明确声明Step 4会执行openclaw gateway restart命令
Low Supply Chain
README文档包含curl|sh危险命令
README.md:70和README.zh.md包含'curl -LsSf https://astral.sh/uv/install.sh | sh'远程脚本执行命令。这是高危Shell模式,但属于文档说明而非代码执行。
README.md:70 建议拆分为两步:先下载脚本检查内容,再执行;或建议用户手动安装uv后使用pip
Info Sensitive Access
读取HOME环境变量定位配置目录
bin/install.js:42读取HOME/USERPROFILE环境变量定位~/.openclaw路径。这是标准的Unix路径解析,无越权风险。
bin/install.js:42 无需修复,这是安装程序的标准做法
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
bin/install.js:167,170 读写~/.openclaw/openclaw.json和复制插件文件 Network Block
Declared NONE
→ Inferred READ+WRITE
src/api.js:37-38 向localhost:1995发送HTTP请求 Shell Block
Declared NONE
→ Inferred WRITE
bin/install.js:222 exec('openclaw gateway restart') Environment Block
Declared NONE
→ Inferred READ
bin/install.js:42 读取HOME/USERPROFILE环境变量 Suspicious artifacts and egress
Critical Dangerous Command
curl -LsSf https://astral.sh/uv/install.sh | sh README.md:70
Medium External URL
https://astral.sh/uv/install.sh README.md:70
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| node:fs | 内置 | Node.js | No | 标准文件系统模块 |
| node:child_process | 内置 | Node.js | No | 用于执行openclaw restart命令 |
| node:crypto | 内置 | Node.js | No | 用于生成确定性消息ID |
| fetch (global) | 内置 | Node.js 18+ | No | 用于HTTP请求到本地backend |
File composition
17 files · 2210 lines
JavaScript 12 files · 1435 linesMarkdown 3 files · 680 linesJSON 2 files · 95 lines
Files of concern · 2
bin/install.js SKILL.md未声明配置文件读写权限 · SKILL.md未声明shell执行权限 · 读取HOME环境变量定位配置目录
README.md README文档包含curl|sh危险命令 · curl -LsSf https://astral.sh/uv/install.sh | sh · https://astral.sh/uv/install.sh
Other files · engine.js · SKILL.md · prompt.js · README.zh.md · types.js · api.js +4
Security positives
无凭证收割行为(未访问~/.ssh、~/.aws、.env等敏感路径)
无数据外泄(网络通信仅限localhost:1995本地backend)
无反向shell或C2通信
无代码混淆(纯JavaScript可读代码)
仅使用Node.js内置模块,无第三方依赖风险
配置文件写入前自动备份(.bak文件)
代码结构清晰,API调用逻辑简单可审计