claw-body 安全扫描报告 — 可疑 | ClawSafe

45 /100

claw-body

Give your Claw a body! Turn your AI Claw into a real-time digital avatar with face, voice, and expressions powered by NuwaAI

Skill provides legitimate digital avatar functionality but uses undeclared shell execution via execSync for presentation parsing, creating a capability gap between documented and actual behavior.

技能名称claw-body

分析耗时40.0s

引擎pi

⚠

谨慎使用

Declare shell:WRITE permission in SKILL.md metadata if execSync is required for presentation parsing, or refactor to avoid subprocess execution.

安全发现 4 项

严重性	安全发现	位置
高危	Undeclared shell execution via execSync server.mjs uses child_process.execSync to execute python3 scripts for presentation parsing. This is not declared in SKILL.md metadata (which only lists 'node' as required binary). const { execSync } = await import('child_process'); const result = execSync(`python3 "${scriptPath}" "${tmpPath}"` → Declare shell:WRITE permission or document this behavior explicitly in SKILL.md	`server.mjs:305`
中危	Demo API key present in source code DEMO_CONFIG contains what appears to be a valid NuwaAI API key for free trial mode. Code comments state these are 'NuwaAI-issued public demo keys with limited quota, NOT user credentials.' `apiKey: "sk-ody1Xk9lw_vXkRWEPnaO8OwTFB9gbCnng2EWUl5jNbzolDSlFItc9DvWqrr6RLcL"` → Confirm with NuwaAI that these are truly public demo keys with no associated cost or data exposure risk	`server.mjs:34`
低危	Permissive CORS configuration Server sets Access-Control-Allow-Origin to '' for local development. Acceptable for localhost-only service but worth noting. `res.setHeader("Access-Control-Allow-Origin", "");` → Restrict to specific origins in production if deployed outside localhost	`server.mjs:135`
低危	Undeclared filesystem read access Reads ~/.openclaw/openclaw.json for gateway token and config. While this is documented in SKILL.md setup instructions, it's not declared in metadata capability requirements. `const OPENCLAW_CFG_PATH = path.join(process.env.HOME, ".openclaw", "openclaw.json");` → Document filesystem:READ access for OpenClaw config in SKILL.md	`server.mjs:18`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	server.mjs:18 reads ~/.openclaw/openclaw.json
文件系统	`NONE`	`WRITE`	✓ 一致	server.mjs:56 writes .nuwa-config.json
命令执行	`NONE`	`WRITE`	✗ 越权	server.mjs:305-308 execSync python3 for presentation parsing
网络访问	`READ`	`READ`	✓ 一致	server.mjs:206-215 fetches nuwaai.com API

1 高危 3 项发现

🔑

高危 API 密钥疑似硬编码凭证

apiKey: "sk-ody1Xk9lw_vXkRWEPnaO8OwTFB9gbCnng2EWUl5jNbzolDSlFItc9DvWqrr6RLcL"

server.mjs:34

🔗

中危外部 URL 外部 URL

https://nuwaai.com

SKILL.md:25

🔗

中危外部 URL 外部 URL

https://api.nuwaai.com/web/apiKey/auth

server.mjs:215

目录结构

6 文件 · 106.0 KB · 2739 行

HTML 1f · 1680L JavaScript 3f · 862L Markdown 1f · 192L JSON 1f · 5L

├─ ▾ 📁 public

│ ├─ 📜 i18n.js JavaScript 230L · 10.3 KB

│ ├─ 📄 index.html HTML 1680L · 66.3 KB

│ └─ 📜 pcm-processor.js JavaScript 53L · 1.4 KB

├─ 📋 _meta.json JSON 5L · 128 B

├─ 📜 server.mjs JavaScript 579L · 21.5 KB

└─ 📝 SKILL.md Markdown 192L · 6.4 KB

安全亮点

✓ No evidence of credential harvesting or exfiltration

✓ No base64-encoded or obfuscated malicious code patterns

✓ No reverse shell, C2, or data theft indicators

✓ Network requests are to legitimate NuwaAI service (documented and necessary)

✓ Presentation parsing execSync is within documented feature scope

✓ No hidden HTML comments or steganography detected

✓ User API keys are stored in local config file, not hardcoded