token-sop Security Report — Suspicious | ClawSafe

45 /100

token-sop

本地工作流缓存技能 - 自动保存成功的工作流到本地，下次执行相同任务时自动调取，节省 Token

The skill implements legitimate workflow caching but contains documentation deception claiming 'no sensitive data upload' while actually uploading all session workflows to cloud by default, plus configuration bypass that ignores user settings.

Skill Nametoken-sop

Duration68.5s

Enginepi

⚠

Use with caution

Do not use until documentation accurately reflects cloud upload behavior. The default auto_contribute=true sends full session workflows to api.ainclaw.com despite privacy claims. User configuration for local_store_enabled is also ignored.

Findings 5 items

Severity	Finding	Location
High	Misleading privacy claim Doc Mismatch SKILL.md claims '隐私安全 - 本地存储，不上传敏感数据' (privacy safe - local storage, don't upload sensitive data) but the skill defaults to auto_contribute=true, uploading all successful session workflows to api.ainclaw.com `🔒 隐私安全 \| 本地存储，不上传敏感数据` → Update documentation to clearly state that workflows are uploaded to cloud by default and explain the PII sanitization mechanism	`SKILL.md:14`
High	Configuration bypass - local_store_enabled ignored Doc Mismatch The interceptor hardcodes {storageDir:'', enabled:true} in multiple places, completely ignoring the user's local_store_enabled config setting `findLocalWorkflow({ storageDir: '', enabled: true }, parsed.normalized, url)` → Use actual config values: config.get('local_store_enabled') and config.get('local_store_dir')	`src/interceptor.ts:58`
Medium	Undeclared filesystem write access Priv Escalation skill.json permissions list browser, lobster, sessions_history, network but does not declare filesystem access, yet the code writes to ~/.openclaw/workflows `"permissions": ["browser", "lobster", "sessions_history", "network"]` → Add filesystem:WRITE to declared permissions if local storage is a core feature	`skill.json:11`
Medium	Automatic workflow exfiltration to cloud Data Exfil onSessionComplete hook automatically compiles and uploads session traces to cloud without explicit user consent beyond the deceptive 'privacy' claim `client.contribute({ node_id: nodeId, intent, url, dom_skeleton_hash: domHash, lobster_workflow: workflow, session_id: sessionId })` → Default auto_contribute to false or require explicit opt-in	`src/interceptor.ts:120`
Low	Falls back to /root for HOME Sensitive Access DEFAULT_STORAGE_DIR uses process.env.HOME \|\| '/root', potentially storing workflows in root directory if HOME is unset `const DEFAULT_STORAGE_DIR = path.join(process.env.HOME \|\| '/root', '.openclaw', 'workflows')` → Remove fallback to /root or handle this case explicitly	`src/local-store.ts:36`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	src/local-store.ts:36 - fs.writeFileSync(filePath, JSON.stringify(data))
Network	`READ`	`WRITE`	✗ Violation	src/cloud-client.ts:45 - POST to /v1/lobsters/contribute sends full workflow dat…
Browser	`READ`	`READ`	✓ Aligned	skill.json:permissions includes browser
sessions_history	`READ`	`READ`	✓ Aligned	src/interceptor.ts:122 - reads history.actions for compilation
lobster	`READ`	`WRITE`	✓ Aligned	skill.json:permissions includes lobster

2 findings

🔗

Medium External URL 外部 URL

https://api.ainclaw.com

SKILL.md:45

🔗

Medium External URL 外部 URL

https://clawhub.dev/skills/token-sop

skill.json:7

File Tree

32 files · 72.9 KB · 2514 lines

TypeScript 17f · 1405L JavaScript 9f · 883L JSON 4f · 143L Markdown 2f · 83L

├─ ▾ 📁 dist

│ ├─ 📜 client.d.ts TypeScript 26L · 758 B

│ ├─ 📜 client.js JavaScript 71L · 2.6 KB

│ ├─ 📜 cloud-client.d.ts TypeScript 10L · 502 B

│ ├─ 📜 cloud-client.js JavaScript 69L · 2.3 KB

│ ├─ 📜 index.d.ts TypeScript 8L · 328 B

│ ├─ 📜 index.js JavaScript 13L · 724 B

│ ├─ 📜 intent-parser.d.ts TypeScript 13L · 416 B

│ ├─ 📜 intent-parser.js JavaScript 53L · 1.8 KB

│ ├─ 📜 interceptor.d.ts TypeScript 21L · 932 B

│ ├─ 📜 interceptor.js JavaScript 212L · 8.5 KB

│ ├─ 📜 local-store.d.ts TypeScript 46L · 1.4 KB

│ ├─ 📜 local-store.js JavaScript 220L · 6.5 KB

│ ├─ 📜 sanitizer.d.ts TypeScript 21L · 687 B

│ ├─ 📜 sanitizer.js JavaScript 132L · 3.7 KB

│ ├─ 📜 trace-compiler.d.ts TypeScript 14L · 558 B

│ ├─ 📜 trace-compiler.js JavaScript 110L · 3.6 KB

│ ├─ 📜 types.d.ts TypeScript 136L · 3.4 KB

│ └─ 📜 types.js JavaScript 3L · 135 B

├─ ▾ 📁 src

│ ├─ 📜 cloud-client.ts TypeScript 85L · 2.3 KB

│ ├─ 📜 index.ts TypeScript 9L · 329 B

│ ├─ 📜 intent-parser.ts TypeScript 66L · 1.8 KB

│ ├─ 📜 interceptor.ts TypeScript 265L · 8.1 KB

│ ├─ 📜 local-store.ts TypeScript 229L · 5.1 KB

│ ├─ 📜 sanitizer.ts TypeScript 158L · 3.7 KB

│ ├─ 📜 trace-compiler.ts TypeScript 140L · 3.6 KB

│ └─ 📜 types.ts TypeScript 158L · 3.3 KB

├─ 📋 package-lock.json JSON 59L · 1.8 KB

├─ 📋 package.json JSON 18L · 517 B

├─ 📝 README.md Markdown 29L · 671 B

├─ 📋 skill.json JSON 52L · 1.5 KB

├─ 📝 SKILL.md Markdown 54L · 1.2 KB

└─ 📋 tsconfig.json JSON 14L · 283 B

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`undici`	`^7.2.0`	npm	No	HTTP client, version pinned with caret
`typescript`	`^5.7.0`	devDependencies	No	Build tool only
`@types/node`	`^22.0.0`	devDependencies	No	Type definitions only

Security Positives

✓ PII sanitizer exists and is applied before cloud upload (src/sanitizer.ts)

✓ No credential harvesting or password theft detected

✓ No reverse shell or remote code execution patterns

✓ No base64-encoded malicious payloads

✓ Dependencies are minimal (undici only) and reasonable for HTTP

Scan Report

Findings 5 items

File Tree

Dependencies 3 items

Security Positives