中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
opencron
Visual cron job dashboard for OpenClaw — live countdown timers, run history, calendar view
OpenCron is a legitimate visual cron job dashboard for OpenClaw with no malicious behavior detected.
技能名称opencron
分析耗时32.6s
引擎pi
可以安装
This skill is safe to use. No security concerns were identified.

安全发现 2 项

严重性 安全发现 位置
低危
git clone not explicitly declared
bin/install.js uses execFileSync('git', ['clone', '--depth', '1', ...]) to fetch the opencron-skill repository. This is not mentioned in SKILL.md. However, it is standard npm package behavior and directly supports the tool's installation purpose.
execFileSync('git', ['clone', '--depth', '1', REPO, SKILL_DIR], { stdio: 'inherit' })
→ Add 'git clone for skill installation' to the SKILL.md declared capabilities.
 bin/install.js:21
提示
External network fetch from raw GitHubusercontent
update_canvas.py fetches the dashboard HTML from raw.githubusercontent.com/firstfloris/opencron. This is declared in SKILL.md but the URL resolution adds trust surface area.
DASHBOARD_URL = 'https://raw.githubusercontent.com/firstfloris/opencron/master/cron-dashboard.html'
→ Consider vendoring the HTML dashboard or adding a checksum/pin.
 update_canvas.py:17
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 generate.py:28 reads ~/.openclaw/cron/jobs.json
文件系统 WRITE WRITE ✓ 一致 update_canvas.py:24 writes CANVAS_HTML.write_bytes(req.read())
网络访问 READ READ ✓ 一致 update_canvas.py:22 urllib.request.urlopen(DASHBOARD_URL)
命令执行 WRITE WRITE ✓ 一致 watch_sync.sh:9 cp and sleep loop; serve.py:42 HTTPServer
环境变量 NONE READ ✓ 一致 SKILL.md references ${OPENCLAW_GATEWAY_TOKEN} and ${CANVAS_PORT} but does not de…
3 项发现
🔗
中危 外部 URL 外部 URL
http://www.w3.org/2000/svg
demo.html:276
🔗
中危 外部 URL 外部 URL
http://0.0.0.0:
serve.py:60
📧
提示 邮箱 邮箱地址
[email protected]
demo.html:345

目录结构

9 文件 · 60.9 KB · 1250 行
HTML 1f · 799L Markdown 2f · 222L Python 3f · 149L JavaScript 1f · 60L JSON 1f · 11L Shell 1f · 9L
├─ 📁 bin
│ └─ 📜 install.js JavaScript 60L · 1.9 KB
├─ 📄 demo.html HTML 799L · 48.1 KB
├─ 🐍 generate.py Python 47L · 1.3 KB
├─ 📋 package.json JSON 11L · 302 B
├─ 📝 README.md Markdown 92L · 2.0 KB
├─ 🐍 serve.py Python 65L · 1.9 KB
├─ 📝 SKILL.md Markdown 130L · 4.1 KB
├─ 🐍 update_canvas.py Python 37L · 1.0 KB
└─ 🔧 watch_sync.sh Shell 9L · 272 B

依赖分析 2 项

包名版本来源已知漏洞备注
None (Python stdlib only) N/A stdlib No pip packages required
node (child_process, fs, path) N/A Node.js stdlib Standard Node.js built-in modules only

安全亮点

✓ No credential harvesting — OPENCLAW_GATEWAY_TOKEN is used only for URL construction, never exfiltrated
✓ No subprocess/eval with user-controlled input
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64 encoding or obfuscation
✓ No data exfiltration to external IPs
✓ No reverse shell or C2 infrastructure
✓ demo.html contains only mock data, no hidden instructions
✓ Python scripts use only standard library (no external dependencies)
✓ File operations are scoped to the .openclaw canvas directory