中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
agile-workflow
全自动敏捷协作工作流引擎 - Novel writing workflow automation with multi-agent orchestration
This is a legitimate automated workflow engine for novel writing and task orchestration with no malicious behavior detected. All shell operations are standard process management (pkill, pgrep, find), all file accesses are within declared workspace paths, and no credential harvesting or data exfiltration was found.
技能名称agile-workflow
分析耗时61.3s
引擎pi
可以安装
Approve for use. The skill's behavior is consistent with a workflow automation tool. Consider adding explicit shell execution documentation to SKILL.md and pinning ioredis to an exact version for supply chain hygiene.

安全发现 4 项

严重性 安全发现 位置
低危
Shell execution not declared in SKILL.md 文档欺骗
SKILL.md omits that the skill uses child_process exec/execSync for process management (pkill, pgrep, find). While all uses are legitimate process lifecycle operations, this is not documented.
execSync(`pkill -f "openclaw.*--agent.*${agentType}" || true`, { stdio: 'ignore' })
→ Add a 'Shell Commands Used' section to SKILL.md listing pkill, pgrep, find and their purpose
 core/agent-process-pool.js:65
低危
Agent spawning not declared in SKILL.md 文档欺骗
SKILL.md does not document that the skill spawns sub-agents via '/home/ubutu/.npm-global/bin/openclaw agent' command. The skill acts as a multi-agent orchestrator.
const child = spawn(cmd, args, { cwd, env, ... })
→ Document the skill_invoke capability in SKILL.md if agents are spawned as subprocesses
 core/agent-process-pool.js:336
提示
ioredis dependency uses caret range 供应链
package.json declares ioredis as ^5.10.0 which allows minor/patch updates. While ioredis has no known vulnerabilities at this version, exact pinning is best practice.
"ioredis": "^5.10.0"
→ Pin to exact version: "ioredis": "5.10.0"
 package.json:28
提示
Hardcoded absolute workspace paths 敏感访问
Multiple files use hardcoded paths like /home/ubutu/.openclaw/workspace and /home/ubutu/.npm-global/bin/openclaw. These assume a specific user and installation environment.
workspace: '/home/ubutu/.openclaw/workspace'
→ Use environment variables or relative paths for portability
 core/agile-workflow-engine.js:26
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 core/agent-process-pool.js:351 - writes Agent output to project dirs
命令执行 NONE WRITE ✗ 越权 core/agent-process-pool.js:65-69 - uses execSync pkill; core/self-healing-monito…
环境变量 NONE READ ✓ 一致 core/agent-process-pool.js:312 - spreads process.env into child env
网络访问 NONE NONE dashboard/backend/server.js only binds localhost:8080
技能调用 NONE WRITE ✗ 越权 core/agent-process-pool.js:336 - spawns openclaw agents via CLI
1 严重 3 项发现
💀
严重 危险命令 危险 Shell 命令
rm -rf /
docs/DELIVERY-CHECKLIST.md:256
🔗
中危 外部 URL 外部 URL
https://opencollective.com/ioredis
package-lock.json:77
🔗
中危 外部 URL 外部 URL
https://clawhub.com/skills/agile-workflow
package.json:39

目录结构

140 文件 · 1.3 MB · 51586 行
JavaScript 66f · 26974L Markdown 64f · 23522L HTML 1f · 669L JSON 7f · 329L Shell 2f · 92L
├─ 📁 backups
│ └─ 📁 20260315_215924
│ ├─ 📜 agile-workflow-engine-v5.js JavaScript 783L · 22.1 KB
│ ├─ 📜 agile-workflow-engine-v7.js JavaScript 446L · 12.2 KB
│ ├─ 📜 concurrent-executor-v2.js JavaScript 608L · 16.0 KB
│ ├─ 📜 health-check-v2.js JavaScript 1156L · 38.9 KB
│ ├─ 📜 stress-test.js JavaScript 311L · 10.6 KB
│ └─ 📜 test-framework.js JavaScript 778L · 20.2 KB
├─ 📁 core
│ ├─ 📜 agent-manager.js JavaScript 668L · 16.4 KB
│ ├─ 📜 agent-process-pool.js JavaScript 745L · 24.9 KB
│ ├─ 📜 agent-supervisor.js JavaScript 169L · 4.3 KB
│ ├─ 📜 agile-workflow-engine.js JavaScript 527L · 13.5 KB
│ ├─ 📜 auto-chunker.js JavaScript 168L · 4.3 KB
│ ├─ 📜 cache-backend.js JavaScript 489L · 11.6 KB
│ ├─ 📜 cache-manager.js JavaScript 535L · 11.6 KB
│ ├─ 📜 circuit-breaker.js JavaScript 718L · 18.9 KB
│ ├─ 📜 cli-enhanced.js JavaScript 739L · 18.4 KB
│ ├─ 📜 concurrent-executor.js JavaScript 572L · 14.9 KB
│ ├─ 📜 config-manager.js JavaScript 746L · 18.2 KB
│ ├─ 📜 context-router.js JavaScript 329L · 8.6 KB
│ ├─ 📜 creativity-scorer.js JavaScript 619L · 17.6 KB
│ ├─ 📜 data-verifier.js JavaScript 209L · 5.1 KB
│ ├─ 📜 dependency-graph-manager.js JavaScript 552L · 13.3 KB
│ ├─ 📜 dependency-manager.js JavaScript 201L · 4.8 KB
│ ├─ 📜 execution-verifier.js JavaScript 367L · 8.6 KB
│ ├─ 📜 failure-handler.js JavaScript 348L · 10.0 KB
│ ├─ 📜 generate-review-tasks.js JavaScript 119L · 4.1 KB
│ ├─ 📜 global-process-manager.js JavaScript 165L · 4.3 KB
│ ├─ 📜 health-check.js JavaScript 984L · 30.9 KB
│ ├─ 📜 health-monitor.js JavaScript 223L · 5.2 KB
│ ├─ 📜 integration-adapter.js JavaScript 254L · 7.5 KB
│ ├─ 📜 integration-test.js JavaScript 115L · 4.5 KB
│ ├─ 📜 llm-gateway.js JavaScript 409L · 9.7 KB
│ ├─ 📜 load-balancer.js JavaScript 667L · 16.1 KB
│ ├─ 📜 log-monitor.js JavaScript 430L · 12.8 KB
│ ├─ 📜 memory-manager.js JavaScript 448L · 10.8 KB
│ ├─ 📜 merge-strategy-manager.js JavaScript 595L · 16.9 KB
│ ├─ 📜 message-bus.js JavaScript 302L · 7.3 KB
│ ├─ 📜 model-switcher.js JavaScript 256L · 7.4 KB
│ ├─ 📜 monitoring-alert-system.js JavaScript 332L · 9.1 KB
│ ├─ 📋 package.json JSON 22L · 462 B
│ ├─ 📜 performance-tuner.js JavaScript 296L · 7.3 KB
│ ├─ 📜 project-manager.js JavaScript 148L · 3.7 KB
│ ├─ 📜 prompt-cache.js JavaScript 348L · 8.4 KB
│ ├─ 📜 quality-validator-rules.js JavaScript 670L · 16.9 KB
│ ├─ 📜 quality-validator.js JavaScript 718L · 17.7 KB
│ ├─ 📜 report-validator.js JavaScript 200L · 4.8 KB
│ ├─ 📜 self-healing-monitor.js JavaScript 988L · 29.1 KB
│ ├─ 📜 task-report-monitor.js JavaScript 198L · 6.0 KB
│ ├─ 📜 task-scheduler.js JavaScript 417L · 13.7 KB
│ ├─ 📜 task-state-tracker.js JavaScript 181L · 4.4 KB
│ ├─ 🔑 token-counter.js JavaScript 141L · 3.5 KB
│ ├─ 📜 version-manager.js JavaScript 718L · 18.4 KB
│ ├─ 📜 violation-alarm.js JavaScript 228L · 5.3 KB
│ ├─ 📜 workflow-config.js JavaScript 34L · 981 B
│ └─ 📜 write-domain-isolator.js JavaScript 383L · 10.1 KB
├─ 📁 dashboard
│ ├─ 📁 backend
│ │ ├─ 📋 package.json JSON 25L · 507 B
│ │ └─ 📜 server.js JavaScript 467L · 10.4 KB
│ └─ 📁 frontend
│ └─ 📄 index.html HTML 669L · 16.7 KB
├─ 📁 docs
│ ├─ 📝 ADD-v7.0-并发安全架构.md Markdown 743L · 21.7 KB
│ ├─ 📝 ADD-v7.1-Agent 自动释放修复.md Markdown 360L · 8.6 KB
│ ├─ 📝 ADD-v7.10-章节细纲并行性分析.md Markdown 335L · 7.1 KB
│ ├─ 📝 ADD-v7.11-章节细纲串行化修改.md Markdown 324L · 7.4 KB
│ ├─ 📝 ADD-v7.12-系统缺陷审查与修复.md Markdown 461L · 10.7 KB
│ ├─ 📝 ADD-v7.13-通用任务系统缺陷修复.md Markdown 427L · 10.9 KB
│ ├─ 📝 ADD-v7.14-Cron 进程泄漏修复.md Markdown 358L · 7.7 KB
│ ├─ 📝 ADD-v7.15-彻底进程清理.md Markdown 372L · 8.8 KB
│ ├─ 📝 ADD-v7.16-源头修复进程泄漏.md Markdown 456L · 9.3 KB
│ ├─ 📝 ADD-v7.17-任务自动调度修复.md Markdown 452L · 10.0 KB
│ ├─ 🔑 ADD-v7.18-Token 超限修复.md Markdown 414L · 9.3 KB
│ ├─ 📝 ADD-v7.19-模型限制数据修正.md Markdown 321L · 7.0 KB
│ ├─ 📝 ADD-v7.2-效率优先原则修复.md Markdown 359L · 8.9 KB
│ ├─ 📝 ADD-v7.20-数据真实性强制执行机制.md Markdown 513L · 11.1 KB
│ ├─ 📝 ADD-v7.21-任务依赖链修复.md Markdown 356L · 8.4 KB
│ ├─ 🔑 ADD-v7.22-Token 超限紧急修复.md Markdown 299L · 6.4 KB
│ ├─ 📝 ADD-v7.23-异步质量审核机制.md Markdown 356L · 8.4 KB
│ ├─ 📝 ADD-v7.3-小说创作核心模块并发能力分析.md Markdown 391L · 10.6 KB
│ ├─ 📝 ADD-v7.4-全自动小说创作工作流 v4.0-阶段内并发优化.md Markdown 550L · 15.1 KB
│ ├─ 📝 ADD-v7.5-Agent 进程泄漏修复.md Markdown 261L · 6.2 KB
│ ├─ 📝 ADD-v7.6-汇报效率优化.md Markdown 376L · 7.1 KB
│ ├─ 📝 ADD-v7.7-分项任务进度汇报.md Markdown 431L · 9.5 KB
│ ├─ 📝 ADD-v7.8-Agent-Daemon 进程累积修复.md Markdown 325L · 7.4 KB
│ ├─ 📝 ADD-v7.9-10 分钟清理未生效修复.md Markdown 234L · 5.5 KB
│ ├─ 📝 DELIVERY-CHECKLIST.md Markdown 323L · 7.2 KB
│ ├─ 📝 v7.0-使用指南.md Markdown 571L · 15.2 KB
│ ├─ 📝 v7.0-总结报告.md Markdown 514L · 17.1 KB
│ └─ 📝 v7.1-修复报告.md Markdown 265L · 5.9 KB
├─ 📁 scripts
│ ├─ 📜 analyze-and-cleanup.js JavaScript 341L · 8.4 KB
│ ├─ 🔧 cleanup-old-versions.sh Shell 48L · 1.0 KB
│ ├─ 🔧 deploy-verify.sh Shell 44L · 1.1 KB
│ ├─ 📜 generate-outline-task.js JavaScript 180L · 5.7 KB
│ ├─ 📜 health-check.js JavaScript 394L · 13.5 KB
│ ├─ 📜 optimized-report.js JavaScript 135L · 4.2 KB
│ ├─ 📜 outline-pre-check.js JavaScript 185L · 6.3 KB
│ ├─ 📜 repair-task-states.js JavaScript 250L · 7.5 KB
│ ├─ 📜 submit-report.js JavaScript 210L · 6.1 KB
│ ├─ 📜 task-dependency-generator.js JavaScript 290L · 8.7 KB
│ ├─ 📜 task-status-report.js JavaScript 150L · 4.8 KB
│ ├─ 📜 task-status.js JavaScript 54L · 1.8 KB
│ ├─ 📜 timeline-manager.js JavaScript 223L · 6.5 KB
│ └─ 📜 workflow-monitor.js JavaScript 345L · 9.6 KB
├─ 📁 test-reports
│ ├─ 📋 test-report-2026-03-12T16-26-49-527Z.json JSON 57L · 2.5 KB
│ └─ 📋 test-report-2026-03-12T16-27-36-343Z.json JSON 54L · 1.2 KB
├─ 📋 _meta.json JSON 6L · 224 B
├─ 📝 ADD-Template.md Markdown 341L · 5.3 KB
├─ 📝 ADD-v5.0.md Markdown 348L · 10.4 KB
├─ 📝 ADD-v5.1.md Markdown 314L · 9.5 KB
├─ 📝 ADD-v5.2.md Markdown 466L · 12.3 KB
├─ 📝 ADD-v6.0-Phase1-Stage3.md Markdown 437L · 9.9 KB
├─ 📝 ADD-v6.0-Phase1-Stage4.md Markdown 530L · 15.6 KB
├─ 📝 ADD-v6.0-Phase1-Stage5.md Markdown 413L · 7.6 KB
├─ 📝 ADD-v6.0-Phase1.md Markdown 315L · 8.3 KB
├─ 📝 ADD-v6.0-Phase2.md Markdown 304L · 10.0 KB
├─ 📝 ADD-v6.0-Phase3.md Markdown 415L · 8.9 KB
├─ 📝 ADD-v6.0-Phase4.md Markdown 398L · 9.4 KB
├─ 📝 ADD-v6.0-Phase5.md Markdown 394L · 9.1 KB
├─ 📝 ADD-v6.0-完整迭代.md Markdown 377L · 9.0 KB
├─ 📝 ADD-v6.0.md Markdown 403L · 12.5 KB
├─ 📝 ADD-v6.1.md Markdown 383L · 7.2 KB
├─ 📋 package-lock.json JSON 126L · 4.4 KB
├─ 📋 package.json JSON 39L · 1.1 KB
├─ 📝 Phase1-完成总结报告.md Markdown 320L · 7.7 KB
├─ 📝 Phase1-进度报告.md Markdown 224L · 4.9 KB
├─ 📝 Phase1-阶段2-完成报告.md Markdown 346L · 6.7 KB
├─ 📝 Phase1-阶段3-完成报告.md Markdown 255L · 6.3 KB
├─ 📝 Phase1-阶段4-完成报告.md Markdown 257L · 6.5 KB
├─ 📝 Phase2-完成报告.md Markdown 298L · 6.6 KB
├─ 📝 Phase2-实施进度报告.md Markdown 170L · 4.1 KB
├─ 📝 Phase3-完成报告.md Markdown 359L · 7.1 KB
├─ 📝 Phase4-完成报告.md Markdown 302L · 6.7 KB
├─ 📝 Phase5-完成报告.md Markdown 302L · 6.5 KB
├─ 📝 README.md Markdown 316L · 6.3 KB
├─ 📝 SKILL.md Markdown 565L · 13.5 KB
├─ 📝 v6.0-整体总结报告.md Markdown 285L · 6.8 KB
├─ 📝 v6.1-最终完成报告.md Markdown 261L · 6.3 KB
├─ 📝 v6.1-完成报告.md Markdown 202L · 4.0 KB
├─ 📝 v6.1-整体完成报告.md Markdown 225L · 5.4 KB
├─ 📝 全面审查报告-v6.0.md Markdown 419L · 8.8 KB
├─ 📝 发布报告-v5.0.md Markdown 351L · 7.9 KB
├─ 📝 发布报告-v5.1.md Markdown 365L · 8.0 KB
├─ 📝 发布报告-v5.2.md Markdown 380L · 9.4 KB
└─ 📝 迭代报告-v4.0.md Markdown 335L · 8.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
ioredis ^5.10.0 npm Caret range allows minor updates; ioredis has no CVEs at this version

安全亮点

✓ No credential harvesting: Code does not iterate process.env for API keys or access ~/.ssh, ~/.aws, .env files
✓ No data exfiltration: No HTTP requests to external IPs, no data POSTs to remote servers
✓ No obfuscation: No base64-encoded payloads, no eval(atob()), no dynamic code generation
✓ No reverse shell: No network listeners for reverse connections
✓ No supply chain compromise: Only one dependency (ioredis) with no known vulnerabilities
✓ No malicious IOC: The 'rm -rf /' IOC in DELIVERY-CHECKLIST.md is in documentation text, not executable code
✓ Legitimate process management: All shell commands (pkill, pgrep, find) are standard ops for cleaning stale processes
✓ File writes are scoped to declared project directories within the workspace