runtime-sentinel 安全扫描报告 — 低风险 | ClawSafe

27 /100

runtime-sentinel

Runtime security guardian for OpenClaw agents — skill integrity hashing, prompt injection detection, credential exposure auditing, network egress monitoring, and process anomaly detection.

runtime-sentinel is a legitimate security auditing tool, but its SKILL.md omits critical capability declarations — shell execution (unzip), process access (walk all /proc), network calls to multiple external services, and local wallet key storage. No malicious behavior found.

技能名称runtime-sentinel

分析耗时97.9s

引擎pi

✓

可以安装

Add complete capability declarations to SKILL.md frontmatter: declare network destinations (VirusTotal, ClawHub, api.runtime-sentinel.dev, mainnet.base.org, x402.org/facilitator), shell:WRITE for unzip during skill extraction, and document wallet storage at ~/.sentinel/. The skill's behavior is defensively legitimate but the documentation mismatch creates risk of false negatives in a ClawSafe audit.

安全发现 6 项

严重性	安全发现	位置
中危	SKILL.md omits network access declaration 文档欺骗 The skill makes HTTP requests to at least 5 external domains (api.runtime-sentinel.dev, clawhub.ai, virustotal.com, x402.org, mainnet.base.org) but SKILL.md declares zero network access and only mentions x402 payment flow as a concept without listing endpoints. `SKILL.md frontmatter: compatibility: { binaries: [sentinel], env: [SENTINEL_WALLET, SENTINEL_RPC, SENTINEL_VT_KEY] } — no network declaration` → Add network declarations to SKILL.md frontmatter: list all API endpoints, VirusTotal domain, ClawHub domains, Base RPC, and x402 facilitator as declared destinations.	`SKILL.md:1`
中危	SKILL.md omits shell execution for unzip 文档欺骗 audit.rs:fetch_clawhub_skill() spawns 'unzip -q' via tokio::process::Command to extract downloaded skill archives. This is a shell-adjacent operation not declared in SKILL.md compatibility.binaries. `tokio::process::Command::new("unzip").arg("-q").arg(&zip_path).arg("-d").arg(tmp.path()).output().await?` → Declare unzip in the binaries: compatibility list, or use a pure-Rust zip extraction library.	`scripts/src/audit.rs:462`
中危	Undeclared process table traversal 敏感访问 process.rs:linux_skill_roots() iterates over /proc//cmdline for all PIDs on the system, and linux_process_table() reads /proc//status for all PIDs. While functionally necessary for skill monitoring, this is sensitive OS-level access not declared in SKILL.md. `let mut dir = fs::read_dir("/proc").await?; // walks ALL pids` → Document the process audit feature and its /proc access in SKILL.md.	`scripts/src/process.rs:84`
中危	Encrypted wallet storage at ~/.sentinel/wallet/ not documented 文档欺骗 payment.rs generates and stores BIP-39 mnemonics and private keys encrypted with AES-256-GCM at ~/.sentinel/wallet/. This is significant local credential storage not mentioned in SKILL.md. `fs::write(&keystore_path, ...); fs::write(&mnemonic_path, ...); // keystore.json and mnemonic.enc` → Add ~/.sentinel/wallet/ to SKILL.md as a declared filesystem path for wallet storage.	`scripts/src/payment.rs:185`
低危	SIGTERM signal sending on Unix 权限提升 daemon.rs:stop() sends SIGTERM to PIDs via unsafe libc::kill() syscall. This is elevated OS-level operation but used only for self-daemon management. `libc::kill(state.pid as i32, libc::SIGTERM);` → Document that daemon management requires process control permissions.	`scripts/src/daemon.rs:126`
低危	Suspicious GitHub repository name 供应链 The source field in SKILL.md points to 'github.com/spaceman420urdog-afk/runtime-sentinel' — a username with no clear identity. This does not indicate maliciousness but reduces verifiability. `source: https://github.com/spaceman420urdog-afk/runtime-sentinel` → Verify the repository independently or use a more identifiable source.	`SKILL.md:18`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	SKILL.md frontmatter declares no filesystem access; code writes to ~/.sentinel/ …
网络访问	`NONE`	`WRITE`	✗ 越权	SKILL.md declares only SENTINEL_WALLET/SENTINEL_RPC env vars; code makes HTTP ca…
命令执行	`NONE`	`WRITE`	✗ 越权	audit.rs:fetch_clawhub_skill() line 462: tokio::process::Command::new("unzip") —…
环境变量	`READ`	`READ`	✓ 一致	payment.rs:18 reads SENTINEL_RPC; audit.rs:57+ read SENTINEL_VT_KEY via env var
技能调用	`NONE`	`NONE`	—	No skill_invoke usage detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

10 项发现

🔗

中危外部 URL 外部 URL

https://rustup.rs

references/binary-build.md:10

🔗

中危外部 URL 外部 URL

https://api.runtime-sentinel.dev/v1/daemon/start

references/x402-payment.md:15

💰

中危钱包地址加密货币钱包地址

0x0E0EE00281A8729d4B68CDed99d430324350a305

references/x402-payment.md:18

🔗

中危外部 URL 外部 URL

https://x402.org/facilitator

references/x402-payment.md:100

🔗

中危外部 URL 外部 URL

https://clawhub.ai/api/v1/report

scripts/src/audit.rs:171

🔗

中危外部 URL 外部 URL

https://www.virustotal.com/api/v3/files/

scripts/src/audit.rs:414

🔗

中危外部 URL 外部 URL

https://clawhub.ai/api/v1/skills/

scripts/src/audit.rs:457

🔗

中危外部 URL 外部 URL

https://api.runtime-sentinel.dev/v1

scripts/src/payment.rs:16

🔗

中危外部 URL 外部 URL

https://mainnet.base.org

scripts/src/payment.rs:18

💰

中危钱包地址加密货币钱包地址

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

scripts/src/payment.rs:24

目录结构

17 文件 · 118.2 KB · 3741 行

Rust 9f · 2906L Markdown 6f · 728L TOML 2f · 107L

├─ ▾ 📁 references

│ ├─ 📝 binary-build.md Markdown 141L · 4.5 KB

│ ├─ 📝 threat-model.md Markdown 119L · 4.9 KB

│ └─ 📝 x402-payment.md Markdown 111L · 3.3 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 patterns

│ │ │ └─ 📄 mod.rs Rust 115L · 3.9 KB

│ │ ├─ 📄 audit.rs Rust 528L · 17.3 KB

│ │ ├─ 📄 daemon.rs Rust 392L · 12.2 KB

│ │ ├─ 📄 egress.rs Rust 341L · 10.0 KB

│ │ ├─ 📄 injection.rs Rust 134L · 4.6 KB

│ │ ├─ 📄 main.rs Rust 174L · 4.6 KB

│ │ ├─ 📄 payment.rs Rust 699L · 25.5 KB

│ │ ├─ 📄 process.rs Rust 412L · 10.4 KB

│ │ └─ 📄 report.rs Rust 111L · 3.0 KB

│ ├─ 📄 Cargo.toml TOML 98L · 1.9 KB

│ └─ 📄 rust-toolchain.toml TOML 9L · 200 B

├─ 📝 LICENSE.md Markdown 21L · 1.1 KB

├─ 📝 README.md Markdown 133L · 4.1 KB

└─ 📝 SKILL.md Markdown 203L · 6.6 KB

依赖分析 10 项

包名	版本	来源	已知漏洞	备注
`alloy`	`0.3`	crates.io	否	Ethereum/Base signing and RPC client. Version not pinned to patch.
`reqwest`	`0.12`	crates.io	否	HTTP client. Using rustls-tls (no OpenSSL). Version not pinned to patch.
`tokio`	`1`	crates.io	否	Async runtime with 'full' feature set. Version not pinned to patch.
`notify`	`6`	crates.io	否	Filesystem watcher. Version not pinned.
`eth-keystore`	`0.5`	crates.io	否	Wallet keystore encryption (scrypt + AES-128-CTR).
`bip39`	`2`	crates.io	否	BIP-39 mnemonic generation and validation.
`argon2`	`0.5`	crates.io	否	Argon2id key derivation for machine-secret passphrase.
`aes-gcm`	`0.10`	crates.io	否	AES-256-GCM encryption for mnemonic phrase at rest.
`rand`	`0.8`	crates.io	否	CSPRNG for nonce and key generation.
`clap`	`4`	crates.io	否	CLI argument parsing.

安全亮点

✓ All cryptographic operations use well-vetted primitives: Argon2id for key derivation, AES-256-GCM for encryption, CSPRNG for nonce generation, BIP-39 for wallet generation

✓ Private key material is zeroized in memory after use (zeroize crate) before variables are dropped

✓ x402 payment flow follows the Coinbase x402 specification correctly — payments are non-custodial, price is shown before signing, EIP-712 typed data is used correctly

✓ No credential exfiltration: credential scanning (patterns/mod.rs) is a read-only detection operation that reports findings locally, does not POST them to any server

✓ No base64/eval obfuscation patterns, no hidden instructions, no suspicious HTML comments

✓ File permissions set to 0600 (owner-only) on Unix for keystore and mnemonic files

✓ Entropy-based credential detection (metric_entropy > 4.5) provides defense against credential theft detection evasion

✓ VirusTotal lookups use hash-only (no file upload), preserving privacy of skill content

✓ Process monitoring only targets processes with /proc entries containing '/.openclaw/skills/' in cmdline — not arbitrary system processes

✓ Source code is open Rust (2906 lines), auditable, with no binary blobs