nginx-explorer 安全扫描报告 — 低风险 | ClawSafe

20 /100

nginx-explorer

Explore nginx-proxied directories to discover tools and utilities

Skill is legitimate nginx directory explorer with mostly correct documentation. Two pre-flagged rm commands are uninstall examples in documentation context, not malicious code execution.

技能名称nginx-explorer

分析耗时29.7s

引擎pi

✓

可以安装

The skill is safe to use. The NGINX_SKIP_SSL_VERIFY default of true could be documented more prominently for users on untrusted networks.

安全发现 3 项

严重性	安全发现	位置
低危	SSL verification disabled by default 敏感访问 NGINX_SKIP_SSL_VERIFY defaults to true, disabling SSL certificate verification. This enables man-in-the-middle attacks on the nginx connection. `NGINX_SKIP_SSL_VERIFY: description: Skip SSL certificate verification (useful for internal networks with self-signed certificates)` → Consider defaulting to false and requiring explicit opt-in for self-signed certs. Document security implications.	`SKILL.md:12`
低危	Undeclared file write capability 文档欺骗 SKILL.md declares network:READ only but examples show downloading tools to /tmp which implies filesystem:WRITE. This is minor since it's user-initiated and documented in examples. `curl -o /tmp/tool.sh "$NGINX_URL/tool-directory/tool.sh"` → Add filesystem:WRITE to declared capabilities if tool downloads are considered part of the skill's core functionality.	`SKILL.md:89`
提示	False positive: rm commands in documentation 敏感访问 Pre-scan flagged rm -rf ~ and rm -rf / at lines 180/183. These are uninstall command examples in INSTALLATION.md documentation, not executable code. `rm -rf ~/.openclaw/skills/nginx-explorer` → No action needed. This is documentation context for skill removal, not malicious behavior.	`INSTALLATION.md:180`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	curl commands throughout SKILL.md
文件系统	`NONE`	`WRITE`	✓ 一致	Downloads to /tmp (documented in examples)
命令执行	`NONE`	`NONE`	—	chmod +x mentioned in docs but no actual shell execution in skill

2 严重 8 项发现

💀

严重危险命令危险 Shell 命令

rm -rf ~

INSTALLATION.md:180

💀

严重危险命令危险 Shell 命令

rm -rf /

INSTALLATION.md:183

🔗

中危外部 URL 外部 URL

http://apt_nginx

INSTALLATION.md:55

🔗

中危外部 URL 外部 URL

http://apt_nginx/

INSTALLATION.md:86

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai

INSTALLATION.md:192

🔗

中危外部 URL 外部 URL

https://discord.com/invite/clawd

INSTALLATION.md:193

🔗

中危外部 URL 外部 URL

http://192.168.1.100:8080

SKILL.md:12

🔗

中危外部 URL 外部 URL

http://internal-tools.local

SKILL.md:12

目录结构

3 文件 · 15.0 KB · 590 行

Markdown 3f · 590L

├─ 📝 INSTALLATION.md Markdown 192L · 3.7 KB

├─ 📝 README.md Markdown 125L · 3.6 KB

└─ 📝 SKILL.md Markdown 273L · 7.7 KB

安全亮点

✓ SKILL.md documentation is comprehensive and accurately describes capabilities

✓ No hidden functionality or obfuscated code found

✓ Skill only requires curl, no additional dependencies

✓ Security considerations section exists with advice to validate scripts

✓ No credential harvesting or sensitive path access

✓ No network exfiltration or C2 communication patterns

✓ Tool download is intentional and documented with user control