communityos-lite 安全扫描报告 — 低风险 | ClawSafe

18 /100

communityos-lite

Simple Telegram Bot management with LLM and knowledge base. Local-only, no external dependencies.

CommunityOS-Lite is a legitimate Telegram bot management tool with clear security documentation. No malicious behavior detected - all sensitive operations (subprocess, network, env access) are documented or necessary for core functionality.

技能名称communityos-lite

分析耗时59.4s

引擎pi

✓

可以安装

Accept for use. Consider enabling authentication via reverse proxy if exposing beyond localhost. Pin all dependency versions for reproducibility.

安全发现 3 项

严重性	安全发现	位置
低危	Unpinned Dependencies requests==2.31.0, fastapi==0.109.0, uvicorn[standard]==0.27.0 lack upper version bounds. chromadb==0.4.22 has known CVEs (CVE-2024-3755). `fastapi==0.109.0 uvicorn[standard]==0.27.0` → Pin maximum versions: requests>=2.31.0,<2.32.0; fastapi>=0.109.0,<0.110.0. Consider upgrading chromadb.	`requirements.txt:1`
提示	Missing LLM Module bot_engine/llm.py is imported but not present in the codebase. LLM features will fail. `from bot_engine.llm import LLMFactory` → Include the LLM factory module or document as a separate package dependency.	`bot_engine/bot_instance.py:77`
提示	API Key Stored in Config LLM API key is stored in admin/data/llm_config.json when user saves via UI. Documented as local-only. `save_json('llm_config', config)` → Document this clearly; consider using a secrets manager for production deployments.	`admin/app.py:680`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Creates JSON configs, knowledge base files
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: 'Outbound Network - Makes calls to Telegram API and LLM providers'
命令执行	`WRITE`	`WRITE`	✓ 一致	admin/app.py:1130 - subprocess.Popen starts telegram_runner.py
环境变量	`READ`	`READ`	✓ 一致	SKILL.md: Lists TELEGRAM_BOT_TOKEN, MINIMAX_API_KEY etc.

6 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8877/lite

SKILL.md:52

🔗

中危外部 URL 外部 URL

https://api.example.com/news

admin/app.py:142

🔗

中危外部 URL 外部 URL

https://feeds.example.com/web3

admin/app.py:164

🔗

中危外部 URL 外部 URL

https://api.telegram.org/bot

admin/app.py:463

🔗

中危外部 URL 外部 URL

https://your-domain/api/telegram/webhook/

admin/app.py:1208

🔗

中危外部 URL 外部 URL

https://api.example.com/v1

admin/lite.html:167

目录结构

14 文件 · 107.4 KB · 2667 行

Python 6f · 1823L HTML 3f · 554L JSON 2f · 145L Markdown 2f · 138L Text 1f · 7L

├─ ▾ 📁 admin

│ ├─ ▾ 📁 templates

│ │ ├─ 📄 index.html HTML 6L · 154 B

│ │ └─ 📄 login.html HTML 19L · 568 B

│ ├─ 🐍 app.py Python 1321L · 59.8 KB

│ ├─ 📄 lite.html HTML 529L · 21.0 KB

│ └─ 🐍 telegram_runner.py Python 159L · 5.6 KB

├─ ▾ 📁 bot_engine

│ ├─ 🐍 __init__.py Python 1L · 25 B

│ ├─ 🐍 bot_instance.py Python 117L · 3.9 KB

│ ├─ 🐍 config_parser.py Python 63L · 2.3 KB

│ └─ 🐍 manager.py Python 162L · 6.3 KB

├─ ▾ 📁 config

│ └─ 📋 openclaw.json JSON 131L · 3.7 KB

├─ 📋 _meta.json JSON 14L · 487 B

├─ 📝 README.md Markdown 69L · 1.6 KB

├─ 📄 requirements.txt Text 7L · 129 B

└─ 📝 SKILL.md Markdown 69L · 1.9 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`chromadb`	`0.4.22`	pip	是	Known CVE-2024-3755 - upgrade to >=0.5.0 recommended
`requests`	`2.31.0`	pip	否	Version pinned but no upper bound
`fastapi`	`0.109.0`	pip	否	Version pinned but no upper bound
`uvicorn`	`0.27.0`	pip	否	Version pinned but no upper bound

安全亮点

✓ SKILL.md explicitly documents all security-relevant behaviors

✓ Local-only binding (127.0.0.1:8877) is enforced and documented

✓ No authentication bypass hidden from user - clearly warned in SKILL.md

✓ No obfuscation, base64 payloads, or reverse shell patterns

✓ No exfiltration of credentials to third-party endpoints

✓ API keys sourced from environment variables (not hardcoded)

✓ File operations are scoped to skill's working directory