openclaw-config-master 安全扫描报告 — 低风险 | ClawSafe

15 /100

openclaw-config-master

Edit and validate OpenClaw Gateway config (openclaw.json / JSON5)

This is a legitimate OpenClaw configuration management skill with proper documentation. The flagged curl|sh pattern is for installing the OpenClaw CLI in CI workflows, not malicious code execution.

技能名称openclaw-config-master

分析耗时28.6s

引擎pi

✓

可以安装

No blocking action required. Consider adding explicit capability declarations to SKILL.md for transparency.

安全发现 2 项

严重性	安全发现	位置
低危	Missing capability declaration 文档欺骗 SKILL.md does not explicitly declare filesystem WRITE and shell WRITE permissions used by the config management scripts `No declared allowed-tools mapping` → Add explicit capability declaration for filesystem WRITE and shell WRITE operations	`SKILL.md:1`
提示	Unpinned remote script in documentation 供应链 The GitHub workflow example downloads OpenClaw installer without version pinning (`curl -fsSL https://get.openclaw.dev \| sh`) `curl -fsSL https://get.openclaw.dev \| sh` → Consider pinning to a specific version for reproducibility: `curl -fsSL https://get.openclaw.dev/v{version} \| sh`	`agents/openai.yaml:8`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	Legitimate config backup/restore scripts in scripts/ directory
命令执行	`READ`	`WRITE`	✓ 一致	Scripts invoke openclaw CLI commands for config management
网络访问	`NONE`	`READ`	✓ 一致	Workflow downloads OpenClaw installer from get.openclaw.dev

1 严重 29 项发现

💀

严重危险命令危险 Shell 命令

curl -fsSL https://get.openclaw.dev | sh

references/common-errors.md:462

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/configuration

SKILL.md:61

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/configuration-reference

SKILL.md:62

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/cli/config

SKILL.md:63

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/cli/update

SKILL.md:64

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/cli/channels

SKILL.md:65

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/cli/skills

SKILL.md:66

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/cli/security

SKILL.md:67

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/models

SKILL.md:68

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/agents

SKILL.md:69

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/tools

SKILL.md:70

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/plugins

SKILL.md:71

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/cron

SKILL.md:72

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/gateway/session

SKILL.md:73

🔗

中危外部 URL 外部 URL

https://get.openclaw.dev

references/common-errors.md:462

🔗

中危外部 URL 外部 URL

https://api.yourprovider.com/v1

references/complex-operations.md:87

🔗

中危外部 URL 外部 URL

https://t.me/BotFather

references/complex-operations.md:206

🔗

中危外部 URL 外部 URL

https://t.me/userinfobot

references/complex-operations.md:245

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/

references/complex-operations.md:288

🔗

中危外部 URL 外部 URL

https://discord.com/developers/applications

references/complex-operations.md:494

🔗

中危外部 URL 外部 URL

https://api.slack.com/apps

references/complex-operations.md:525

🔗

中危外部 URL 外部 URL

https://api.search.brave.com

references/complex-operations.md:645

🔗

中危外部 URL 外部 URL

https://api.firecrawl.dev

references/complex-operations.md:650

🔗

中危外部 URL 外部 URL

https://api.perplexity.ai

references/complex-operations.md:654

🔗

中危外部 URL 外部 URL

https://push.example.com

references/complex-operations.md:906

🔗

中危外部 URL 外部 URL

https://api.x.ai

references/openclaw-config-fields.md:431

🔗

中危外部 URL 外部 URL

https://api.moonshot.cn

references/openclaw-config-fields.md:437

🔗

中危外部 URL 外部 URL

https://api.minimaxi.com/anthropic

references/openclaw-config-fields.md:1314

📧

提示邮箱邮箱地址

[email protected]

references/openclaw-config-fields.md:768

目录结构

14 文件 · 202.7 KB · 7843 行

Markdown 7f · 6549L Shell 5f · 1286L JSON 1f · 5L YAML 1f · 3L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 3L · 107 B

├─ ▾ 📁 references

│ ├─ 📝 channels-config.md Markdown 466L · 13.1 KB

│ ├─ 📝 common-errors.md Markdown 1336L · 31.9 KB

│ ├─ 📝 complex-operations.md Markdown 1437L · 35.7 KB

│ ├─ 📝 openclaw-config-fields.md Markdown 1680L · 44.7 KB

│ ├─ 📝 schema-sources.md Markdown 86L · 3.9 KB

│ └─ 📝 version-migration.md Markdown 901L · 21.7 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 backup-config.sh Shell 208L · 5.0 KB

│ ├─ 🔧 openclaw-config-check.sh Shell 63L · 1.4 KB

│ ├─ 🔧 restore-config.sh Shell 350L · 8.1 KB

│ ├─ 🔧 validate-config.sh Shell 393L · 8.6 KB

│ └─ 🔧 validate-migration.sh Shell 272L · 6.3 KB

├─ 📋 _meta.json JSON 5L · 141 B

└─ 📝 SKILL.md Markdown 643L · 22.2 KB

安全亮点

✓ No credential harvesting or token theft patterns detected

✓ No data exfiltration or C2 communication

✓ No reverse shell or arbitrary code execution

✓ All shell scripts are documented configuration management tools

✓ No base64-encoded or obfuscated payloads

✓ Scripts use safe patterns (set -euo pipefail, argument parsing)

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Config backup scripts properly validate before operations