openclaw-mobile-gateway-installer 安全扫描报告 — 低风险 | ClawSafe

25 /100

openclaw-mobile-gateway-installer

Installs and manages OpenClaw mobile gateway as a systemd service. Provides a mobile-friendly HTTP API for managing models, channels, agents, skills, routing, healing policies, and chat sessions.

A legitimate gateway installer that performs standard deployment operations (systemd service management, npm install, Express HTTP server) but fails to declare its shell and filesystem WRITE capabilities in SKILL.md, creating a doc-to-code mismatch. The pre-scan's critical IOC flag on uninstall.sh line 11 is a false positive — the actual command is `sudo rm -rf "${INSTALL_DIR}"` with INSTALL_DIR defaulted to a scoped path, not a root-destroying `rm -rf /`.

技能名称openclaw-mobile-gateway-installer

分析耗时92.6s

引擎pi

✓

可以安装

Add explicit capability declarations to SKILL.md: declare shell:WRITE for systemctl/journalctl/openclaw CLI invocations, filesystem:WRITE for service/unit file creation, and network:READ for health probing. Consider narrowing the uninstall script's rm -rf scope to individual subdirectories instead of the top-level install directory to prevent accidental data loss.

安全发现 7 项

严重性	安全发现	位置
中危	Shell execution capability not declared in SKILL.md 文档欺骗 SKILL.md provides zero capability declarations. The skill executes shell commands via execFileSync (systemctl start/stop/restart, journalctl, openclaw CLI) and install.sh calls systemctl/npm directly, but filesystem:WRITE and shell:WRITE are not listed in SKILL.md. A user reviewing the documentation would have no indication of the elevated permissions required. `execFileSync('systemctl', [...]) in execSystemctl/getGatewayServiceStatus/controlGatewayService; execFileSync('journalctl', [...]) in getGatewayLogs; execFileSync('openclaw', [...]) in applyQuickAction/getTokenStats` → Add to SKILL.md: '## Required Capabilities: shell:WRITE (for systemd service management via systemctl/journalctl), filesystem:WRITE (for service file installation), environment:READ (for OPENCLAW_* env vars)'	`services.ts:1`
中危	Network access not declared in SKILL.md 文档欺骗 The skill probes external OpenClaw targets via HTTP fetch() and has pre-configured target domains (alpha.openclaw.local, beta.openclaw.local, prod.openclaw.local, openclaws.gdcp.edu.cn) in store.ts. While network:READ is a reasonable inference, it is not explicitly declared. `apiBaseUrl: 'https://alpha.openclaw.local/api' at store.ts:12 and 'https://openclaws.gdcp.edu.cn' at store.ts:36` → Add network:READ declaration in SKILL.md listing the expected external endpoints	`store.ts:12`
中危	Install script writes to system directories without declaration 权限提升 install.sh uses sudo to write systemd unit files to /etc/systemd/system/ and env files to /etc/openclaw-mobile-gateway. These filesystem:WRITE operations to privileged system directories are not declared in SKILL.md. The install script also runs npm install which executes arbitrary third-party install scripts. `sudo tee /etc/systemd/system/${SERVICE_NAME}.service >/dev/null <<EOF [...]` → Document that the install script requires sudo privileges and writes to /etc/systemd and /etc/openclaw-mobile-gateway	`install.sh:40`
中危	Sensitive configuration file access without declaration 敏感访问 services.ts reads the user's OpenClaw config file (default: ~/.openclaw/openclaw.json) which may contain provider API keys, channel credentials (e.g., Feishu appId/appSecret), and agent configurations. This sensitive data is merged into the gateway's runtime state. SKILL.md does not mention reading from the user's .openclaw configuration directory. `const homeDir = process.env.HOME ?? process.env.USERPROFILE ?? os.homedir(); return path.join(homeDir, '.openclaw', 'openclaw.json')` → Document that the skill reads and merges configuration from ~/.openclaw/openclaw.json. Clarify that API keys from provider configs are loaded for model routing but are not exfiltrated.	`services.ts:19`
低危	Installs a systemd service for persistence 持久化 install.sh registers openclaw-mobile-gateway as a systemd service with Restart=always, creating a persistent background service. This is appropriate for a gateway but represents persistence behavior that is not declared. `Restart=always RestartSec=3` → Declare in SKILL.md that the skill installs a systemd service for persistence as part of its installation lifecycle	`install.sh:62`
低危	npm install without lockfile enforcement 供应链 install.sh runs 'npm install --omit=optional' in the target directory, installing dependencies from package.json without checking for a package-lock.json. While dependencies are pinned with caret ranges (^2.8.5, ^4.19.2, ^3.23.8), the lack of lockfile enforcement means different versions could be installed across runs. `npm install --omit=optional` → Add package-lock.json to the backend/ directory or pin exact versions in package.json to ensure reproducible builds	`install.sh:35`
低危	Uninstall script rm -rf scoped but lacks per-file safety 文档欺骗 uninstall.sh uses 'sudo rm -rf "${INSTALL_DIR}"' to remove the entire install tree. While this is correctly scoped to /opt/openclaw-mobile-gateway (not /), a more defensive approach would iterate through and delete individual files/directories rather than the top-level tree, preventing accidental complete removal of data stored under the install path. `sudo rm -rf "${INSTALL_DIR}"` → Replace the blanket rm -rf with targeted removals: rm -rf "${INSTALL_DIR}/apps", "${INSTALL_DIR}/data", etc., to prevent unintended data loss if INSTALL_DIR is ever misconfigured	`uninstall.sh:11`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	services.ts:execFileSync systemctl/journalctl; install.sh:systemctl/nm; check.sh…
文件系统	`NONE`	`WRITE`	✗ 越权	install.sh:mkdir/tee to /etc/systemd and /etc/openclaw-mobile-gateway
网络访问	`READ`	`READ`	✓ 一致	services.ts:fetch() probing OpenClaw targets; read-only probing documented
环境变量	`NONE`	`READ`	✗ 越权	services.ts:process.env.OPENCLAW_* reads; install.sh env propagation
技能调用	`NONE`	`NONE`	—	No skill_invoke detected
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser access detected
数据库	`NONE`	`NONE`	—	No database access detected

1 严重 8 项发现

💀

严重危险命令危险 Shell 命令

rm -rf /

uninstall.sh:11

🔗

中危外部 URL 外部 URL

https://openclaw.example.com

README.md:15

🔗

中危外部 URL 外部 URL

https://openclaws.example.com

SKILL.md:29

🔗

中危外部 URL 外部 URL

http://127.0.0.1:4800/health

SKILL.md:47

🔗

中危外部 URL 外部 URL

https://alpha.openclaw.local/api

backend/src/store.ts:12

🔗

中危外部 URL 外部 URL

https://beta.openclaw.local/api

backend/src/store.ts:20

🔗

中危外部 URL 外部 URL

https://prod.openclaw.local/api

backend/src/store.ts:28

🔗

中危外部 URL 外部 URL

https://openclaws.gdcp.edu.cn

backend/src/store.ts:36

目录结构

14 文件 · 93.4 KB · 3230 行

TypeScript 7f · 2954L Shell 3f · 131L Markdown 2f · 95L JSON 2f · 50L

├─ ▾ 📁 backend

│ ├─ ▾ 📁 src

│ │ ├─ 📜 app.ts TypeScript 576L · 15.6 KB

│ │ ├─ 📜 index.ts TypeScript 8L · 209 B

│ │ ├─ 📜 schemas.ts TypeScript 252L · 6.6 KB

│ │ ├─ 📜 services.ts TypeScript 1643L · 53.1 KB

│ │ ├─ 📜 store.ts TypeScript 231L · 6.2 KB

│ │ ├─ 📜 types.ts TypeScript 240L · 4.4 KB

│ │ └─ 📜 utils.ts TypeScript 4L · 156 B

│ ├─ 📋 package.json JSON 29L · 670 B

│ └─ 📋 tsconfig.json JSON 21L · 368 B

├─ 🔧 check.sh Shell 29L · 735 B

├─ 🔧 install.sh Shell 88L · 2.8 KB

├─ 📝 README.md Markdown 43L · 882 B

├─ 📝 SKILL.md Markdown 52L · 1.3 KB

└─ 🔧 uninstall.sh Shell 14L · 450 B

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`express`	`^4.19.2`	npm	否	Caret range; last stable minor version
`cors`	`^2.8.5`	npm	否	Well-maintained middleware
`zod`	`^3.23.8`	npm	否	Schema validation library; pinned
`tsx`	`^4.16.2`	npm	否	devDependency only; unpinned major version

安全亮点

✓ No credential harvesting or exfiltration detected — API keys from config are loaded for model routing only and remain local

✓ No obfuscation or base64-encoded payloads found in the codebase

✓ No reverse shell, C2 communication, or data theft patterns observed

✓ All shell executions (systemctl, journalctl, openclaw CLI) are for legitimate deployment and service management

✓ Input validation via Zod schemas prevents injection attacks on all HTTP API endpoints

✓ Token generation uses crypto.randomBytes for secure random token values

✓ Dependency versions are reasonably pinned (express ^4.19.2, zod ^3.23.8, cors ^2.8.5)

✓ No curl|bash or wget|sh remote script execution patterns

✓ uninstall.sh does NOT contain 'rm -rf /' — the pre-scan IOC was a false positive; actual command is scoped to ${INSTALL_DIR}

✓ The skill's actual functionality matches its described purpose as a gateway installer