中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:15 hr ago Rescan
10 /100
ocas-vesper
Daily briefing generator that aggregates signals from across the system into concise morning and evening briefings
Vesper briefing skill has no malicious behavior; the flagged base64 -d usage is legitimate GitHub API response decoding for version checking, fully documented in SKILL.md.
Skill Nameocas-vesper
Duration44.0s
Enginepi
Safe to install
No action required. The skill's self-update mechanism is properly documented and uses standard practices for GitHub API interaction.

Findings 2 items

Severity Finding Location
Info
Self-update mechanism uses base64 decoding Doc Mismatch
SKILL.md line 275 uses 'base64 -d' to decode GitHub API response content. This is legitimate functionality for parsing the base64-encoded skill.json from GitHub's API, not obfuscated code execution.
gh api "repos/{owner}/{repo}/contents/skill.json" --jq '.content' | base64 -d | python3 -c "import sys,json;print(json.load(sys.stdin)['version'])"
→ No action needed. This is standard GitHub API usage documented in skill.json under self_update.
 SKILL.md:275
Low
Cooperative read from other skills' directories Priv Escalation
Vesper reads InsightProposal files and reports from other skills' directories (/workspace/openclaw/data/ocas-*/proposals/ and /workspace/openclaw/data/ocas-*/reports/). This cross-skill data access is declared in SKILL.md but skill_invoke is marked NONE.
Read InsightProposal files from each skill's proposals/ directory: /workspace/openclaw/data/ocas-corvus/proposals/
→ Consider marking skill_invoke as READ in skill.json to reflect actual cross-skill data access pattern.
 SKILL.md:141
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md lines 141-147: reads from ~/openclaw/data/*/proposals/ and ~/openclaw/d…
Filesystem WRITE WRITE ✓ Aligned SKILL.md lines 147-153: writes to ~/openclaw/data/ocas-vesper/ and ~/openclaw/jo…
Network READ READ ✓ Aligned SKILL.md lines 266-284: gh api for GitHub version check, documented in skill.jso…
Shell ADMIN ADMIN ✓ Aligned SKILL.md lines 266-284: uses gh CLI, tar, python3 for self-update; cron registra…
Skill Invoke NONE READ ✓ Aligned SKILL.md lines 141-147: reads InsightProposal files from other skills' directori…
Environment NONE NONE No os.environ access detected
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
1 Critical 5 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
base64 -d
SKILL.md:275
🔗
Medium External URL 外部 URL
https://calendar.google.com/calendar/event?eid=
SKILL.md:89
🔗
Medium External URL 外部 URL
https://maps.google.com/?q=
SKILL.md:89
🔗
Medium External URL 外部 URL
https://mail.google.com/mail/u/0/#inbox/
SKILL.md:89
📧
Info Email 邮箱地址
[email protected]
skill.json:6

File Tree

8 files · 30.9 KB · 697 lines
Markdown 7f · 649L JSON 1f · 48L
├─ 📁 references
│ ├─ 📝 briefing_templates.md Markdown 110L · 4.0 KB
│ ├─ 📝 journal.md Markdown 73L · 1.8 KB
│ ├─ 📝 schemas.md Markdown 32L · 1.3 KB
│ └─ 📝 signal_filtering.md Markdown 25L · 1005 B
├─ 📝 CHANGELOG.md Markdown 40L · 1.8 KB
├─ 📝 README.md Markdown 67L · 3.9 KB
├─ 📋 skill.json JSON 48L · 1.7 KB
└─ 📝 SKILL.md Markdown 302L · 15.4 KB

Security Positives

✓ All capabilities properly declared in skill.json with clear scope boundaries
✓ Self-update mechanism is fully documented and uses version checking before download
✓ No credential harvesting or environment variable access
✓ No data exfiltration or external communication beyond documented GitHub API
✓ Cooperative inter-skill interface follows read-only pattern (doesn't write to others' directories)
✓ No obfuscated code, reverse shells, or C2 indicators
✓ Scheduled tasks (cron) are clearly documented with proper session isolation
✓ Filesystem access is scoped to expected /workspace/openclaw/data/ocas-vesper/ directory
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No curl|bash or wget|sh remote script execution patterns