ai-enterprise-knowledge-base 安全扫描报告 — 可疑 | ClawSafe

45 /100

ai-enterprise-knowledge-base

企业 AI 知识库 - 5分钟搭建企业内部问答系统，支持文档上传、智能检索、权限管理

This skill lacks any executable implementation — package.json declares index.js as the entry point but no such file exists, and no scripts are present despite the skill describing a full enterprise knowledge base system.

技能名称ai-enterprise-knowledge-base

分析耗时52.0s

引擎pi

⚠

谨慎使用

Do not install. The skill advertises extensive capabilities (document upload, vector search, LDAP auth, channel integrations) but provides zero implementation. This is either a stub/placeholder or the actual payload executes from the remote git clone URL (openclaw/openclaw), which cannot be audited. Request the full source code before any deployment.

攻击链 4 步

◎

入口 Skill presents as legitimate enterprise knowledge base with comprehensive documentation and branding

SKILL.md:1

⬡

提权 Actual code is never bundled — package.json references non-existent index.js

package.json:3

⬡

提权 SKILL.md instructs user to git clone openclaw/openclaw from GitHub at installation time, loading unaudited code

SKILL.md:20

◉

影响 Unknown code executes in the user's environment — capabilities (filesystem, network, credentials) are entirely unconstrained and unauditable

N/A

安全发现 4 项

严重性	安全发现	位置
中危	No executable implementation present 文档欺骗 package.json declares 'index.js' as the main entry point but no such file exists in the skill package. The skill consists entirely of marketing documentation with no auditable code. `"main": "index.js"` → Reject this skill until full source code is provided for security review. A skill that cannot execute any code has no verifiable security posture.	`package.json:3`
高危	Remote code execution via git clone 供应链 SKILL.md instructs users to run 'git clone https://github.com/openclaw/openclaw.git && cd openclaw && npm install'. This fetches the entire codebase from an external, unaudited repository at installation time, bypassing all local code review. `git clone https://github.com/openclaw/openclaw.git` → Block any skill that instructs users to clone and execute code from external repositories. All code must be bundled within the skill package for offline review.	`SKILL.md:20`
中危	Feature claims unsupported by implementation 文档欺骗 SKILL.md advertises LDAP/OAuth/SAML authentication, multi-channel integrations (Feishu/WeChat/DingTalk/Slack), vector database support, and knowledge graph extraction — yet no code exists to verify any of these claims. `Full SKILL.md describes enterprise features with no corresponding implementation` → Any skill claiming sensitive capabilities (auth, integrations, credential handling) must include verifiable source code.	`SKILL.md:1`
低危	External support contact for unaudited entity 文档欺骗 Support email ([email protected]) and Telegram (@openclaw_service) reference an external organization not represented in the skill package itself. `[email protected], @openclaw_service` → Verify the legitimacy of external contacts before engaging support. Do not share credentials or sensitive data with unverified contacts.	`SKILL.md:99`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No implementation files present — capabilities cannot be determined
网络访问	`NONE`	`NONE`	—	SKILL.md references localhost:3000 API endpoints and external LLM providers (dee…
命令执行	`NONE`	`NONE`	—	No shell scripts found; however, SKILL.md instructs git clone from github.com/op…
环境变量	`NONE`	`NONE`	—	No code present to audit environment access
技能调用	`NONE`	`NONE`	—	No skill invocation code found
剪贴板	`NONE`	`NONE`	—	No code present
浏览器	`NONE`	`NONE`	—	No code present
数据库	`NONE`	`NONE`	—	SKILL.md describes vector DB integration (milvus/pinecone) but no database code …

1 项发现

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:99

目录结构

2 文件 · 2.6 KB · 122 行

Markdown 1f · 104L JSON 1f · 18L

├─ 📋 package.json JSON 18L · 429 B

└─ 📝 SKILL.md Markdown 104L · 2.2 KB

安全亮点

✓ No hard-coded credentials, API keys, or tokens found in the skill package

✓ No base64-encoded payloads, eval() calls, or obfuscated code patterns observed

✓ No direct network requests to suspicious IPs or C2 infrastructure found

✓ No subprocess/shell execution code present in the local skill files

✓ No sensitive file access patterns detected (no ~/.ssh, ~/.aws, .env access in local code)

✓ No cron jobs, startup scripts, or persistence mechanisms found