中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
baton
Baton — AI orchestrator for OpenClaw. Routes every request to subagents. Never does work itself.
A legitimate OpenClaw AI orchestrator with no malicious behavior; the primary finding is that filesystem WRITE permissions are not declared in SKILL.md metadata despite the install script and task-manager performing file writes to ~/.openclaw.
Skill Namebaton
Duration49.2s
Enginepi
Safe to install
Add filesystem:WRITE to the declared permissions in SKILL.md metadata to align with the install script and task-manager file write operations.

Findings 2 items

Severity Finding Location
Low
Filesystem WRITE not declared in permissions
The SKILL.md metadata declares read:config, read:agents, exec:scripts, read:env but install.sh performs filesystem writes (BOOT.md, AGENTS.md, baton directory creation) and task-manager.js writes task files. This is a doc-to-code mismatch.
permissions: [read:config, read:agents, exec:scripts, read:env]
→ Add filesystem:WRITE to metadata permissions. The writes are legitimate (orchestrator state management in ~/.openclaw) but should be declared.
 SKILL.md:1
Info
execSync runs openclaw CLI commands
probe-limits.js uses execSync to run 'openclaw models list --json' and 'openclaw models status --json'. This is shell execution but scoped to the OpenClaw ecosystem CLI.
execSync('openclaw models list --json 2>/dev/null', {encoding:'utf8', timeout:30000})
→ Covered by exec:scripts permission. Consider declaring shell:WRITE explicitly if execSync is considered shell access.
 scripts/probe-limits.js:87
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned probe-limits.js reads openclaw.json, agents/<id>/agent/models.json; task-manager…
Filesystem NONE WRITE ✗ Violation install.sh writes BOOT.md and AGENTS.md; task-manager.js writes task/archive/tem…
Shell NONE WRITE ✓ Aligned probe-limits.js line 87: execSync('openclaw models list --json'); install.sh lin…
Network NONE READ ✓ Aligned probe-limits.js probeProvider() makes HTTP GET to provider rate-limit APIs using…
Environment READ READ ✓ Aligned resolveApiKey() reads env vars for API keys, used only for provider limit querie…

File Tree

13 files · 79.2 KB · 1963 lines
JavaScript 2f · 1103L Markdown 8f · 701L Shell 1f · 118L JSON 2f · 41L
├─ 📁 references
│ ├─ 📝 model-profiles.md Markdown 37L · 1.3 KB
│ ├─ 📝 onboarding-guide.md Markdown 111L · 3.4 KB
│ ├─ 📝 orchestration.md Markdown 266L · 9.1 KB
│ ├─ 📝 resilience.md Markdown 80L · 2.9 KB
│ ├─ 📝 task-schema.md Markdown 65L · 2.7 KB
│ └─ 📝 task-types.md Markdown 24L · 946 B
├─ 📁 scripts
│ ├─ 🔧 install.sh Shell 118L · 5.1 KB
│ ├─ 📜 probe-limits.js JavaScript 412L · 21.9 KB
│ ├─ 📋 provider-probes.json JSON 32L · 1.7 KB
│ └─ 📜 task-manager.js JavaScript 691L · 23.7 KB
├─ 📝 BOOT.md Markdown 26L · 1.5 KB
├─ 📋 package.json JSON 9L · 185 B
└─ 📝 SKILL.md Markdown 92L · 4.8 KB

Security Positives

✓ API keys are resolved from environment or config and used only for provider rate-limit API queries — never exfiltrated
✓ Comprehensive output sanitisation (sanitiseOutput) redacts apiKey, token, secret, password fields before any stdout output
✓ Consent flow in BOOT.md step 2 requires user approval before any config scanning or script execution
✓ No base64 decoding, no eval(), no reverse shells, no direct IP exfiltration
✓ All filesystem writes are scoped to ~/.openclaw/ which is the intended state directory for this orchestrator
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
✓ No hidden functionality — all scripts are documented, readable, and their purposes are clear
✓ Data-driven probe configuration via provider-probes.json — no hardcoded API endpoints or values