local-self-healing-machine-learning 安全扫描报告 — 低风险 | ClawSafe

22 /100

local-self-healing-machine-learning

A fully local ML engine that learns from agent runtime history, detects errors via embeddings or regex, and autonomously evolves fix strategies with auditable GEP protocol.

A legitimate self-healing ML engine with minor documentation gaps: filesystem WRITE and shell execution are used for core functionality (git operations, code evolution, skill auto-heal) but are not explicitly declared in SKILL.md's capability section. Remote Ollama install via curl|bash is documented as an optional setup step. No actual malicious behavior observed.

技能名称local-self-healing-machine-learning

分析耗时134.8s

引擎pi

✓

可以安装

Add an explicit 'Declared Capabilities' section to SKILL.md listing filesystem:WRITE (for code evolution and skill auto-heal), shell:WRITE (for git/npm operations), and network:READ (localhost Ollama). Clarify that hardcoded test credentials in test/ are test fixtures for the sanitize module. Consider pinning dotenv version.

安全发现 7 项

严重性	安全发现	位置
中危	Undeclared filesystem WRITE capability 文档欺骗 SKILL.md claims 'zero network calls' and no telemetry but does not declare filesystem WRITE operations. The skill actively writes new source code files (genes, capsules, evolution artifacts, skill stubs) and modifies existing files via the solidify pipeline and skill distiller. `fs.writeFileSync(path.join(skillPath, 'SKILL.md'), '# ' + skillName + '\n\n' + name + ' skill.\n');` → Add 'filesystem:WRITE' to declared capabilities in SKILL.md, specifically noting writes to memory/, assets/, and skills/ directories.	`src/gep/skillDistiller.js:89`
中危	Undeclared shell:WRITE capability via execSync 文档欺骗 The skill uses execSync for git operations (rebase abort, merge abort, reset, fetch), npm install in skills directories, and system health checks (pgrep, ps aux, tasklist). These are not declared as capabilities. `execSync('git rebase --abort', { cwd: root, stdio: 'ignore' });` → Add 'shell:WRITE' to declared capabilities in SKILL.md, listing git and npm as documented operations.	`src/ops/self_repair.js:9`
中危	Remote script execution via curl\|bash documented in SKILL.md 供应链 SKILL.md line 43 instructs users to run 'curl -fsSL https://ollama.com/install.sh \| sh' to install Ollama. While this is documented, curl\|bash is a high-risk installation pattern. The Ollama install script executes remote code with elevated privileges. `curl -fsSL https://ollama.com/install.sh \| sh` → Replace with platform-specific installation instructions (e.g., 'brew install ollama' on macOS, or manual download) to avoid remote script execution.	`SKILL.md:43`
低危	Unpinned dotenv dependency 供应链 package.json uses dotenv ^16.4.7 without an exact version. A major version bump in dotenv (v17+) could introduce breaking changes or security issues. `"dotenv": "^16.4.7"` → Pin to exact version: "dotenv": "16.4.7". Alternatively use a lockfile approach.	`package.json:19`
低危	Skill auto-heal runs npm install in skills directory 权限提升 skills_monitor.js auto-runs 'npm install --production' in any skill directory that has dependencies but no node_modules. If a malicious or compromised skill package exists in the skills directory, this could install it. `execSync('npm install --production --no-audit --no-fund', { cwd: skillPath, stdio: 'ignore', timeout: 60000 });` → Add npm install to the validation command stripper (like skillDistiller.js does) to prevent arbitrary package installation. Consider verifying package.json integrity before running npm install.	`src/ops/skills_monitor.js:67`
提示	Reads session logs from ~/.openclaw/agents/ 敏感访问 The evolver reads session log files from ~/.openclaw/agents/<AGENT_NAME>/sessions/. These logs may contain sensitive information including user queries, tool results, and potentially credentials. The skill reads the last 20KB of up to 6 recent sessions. const AGENT_SESSIONS_DIR = path.join(os.homedir(), `.openclaw/agents/${AGENT_NAME}/sessions`); → Document that session log access is required for error signal extraction. Consider adding a sensitive-data redaction step before logging session content.	`src/evolve.js:65`
提示	SKILL.md tagline overstates 'zero network calls' 文档欺骗 SKILL.md claims 'without ever calling home, revealing your machine ID, or exposing any security holes' and '100% on your machine with zero network calls'. While the hub is disabled, the skill does make HTTP calls to localhost:11434 (Ollama) and optionally to clawhub CLI for auto-update. `A fully local machine learning engine... 100% on your machine with zero network calls.` → Update tagline to 'No external network calls (uses local Ollama at localhost:11434 for optional embeddings)' to be technically accurate.	`SKILL.md:17`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	src/ops/skills_monitor.js:89 writes SKILL.md stubs; src/gep/skillDistiller.js wr…
命令执行	`NONE`	`WRITE`	✗ 越权	src/ops/self_repair.js:9 execSync('git rebase --abort'); src/ops/skills_monitor.…
网络访问	`READ`	`READ`	✓ 一致	src/ml/embeddings.js:88 POSTs to http://localhost:11434 (Ollama). Declared in SK…
环境变量	`NONE`	`READ`	✓ 一致	index.js:7 dotenv config; src/evolve.js:36 process.env reads for EVOLVE_STRATEGY…
技能调用	`NONE`	`READ`	✓ 一致	src/ops/skills_monitor.js:31 reads SKILL.md and package.json from skills directo…
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser access; dashboard serves local HTML only
数据库	`NONE`	`NONE`	—	No database access found; uses local JSON/JSONL files

6 严重 10 项发现

💀

严重危险命令危险 Shell 命令

curl -fsSL https://ollama.com/install.sh | sh

SKILL.md:43

🔑

严重 API 密钥硬编码 API 密钥

sk-abcdefghijklmnopqrstuvwxyz

test/sanitize.test.js:10

🔑

严重 API 密钥硬编码 API 密钥

ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

test/sanitize.test.js:19

🔑

严重 API 密钥硬编码 API 密钥

gho_abcdefghijklmnopqrstuvwxyz1234567890

test/sanitize.test.js:21

🔑

严重 API 密钥硬编码 API 密钥

AKIAIOSFODNN7EXAMPLE

test/sanitize.test.js:29

💀

严重危险命令危险 Shell 命令

rm -rf /

test/skillDistiller.test.js:210

🔗

中危外部 URL 外部 URL

https://mastermindshq.business

SKILL.md:5

🔗

中危外部 URL 外部 URL

https://ollama.com/install.sh

SKILL.md:43

📧

提示邮箱邮箱地址

[email protected]

test/sanitize.test.js:57

📧

提示邮箱邮箱地址

[email protected]

test/sanitize.test.js:74

目录结构

71 文件 · 489.3 KB · 13151 行

JavaScript 66f · 12525L HTML 1f · 365L Markdown 2f · 206L JSON 2f · 55L

├─ ▾ 📁 dashboard

│ ├─ 📄 index.html HTML 365L · 18.0 KB

│ └─ 📜 server.js JavaScript 112L · 3.8 KB

├─ ▾ 📁 memory

│ └─ 📋 knowledge.json JSON 28L · 708 B

├─ ▾ 📁 scripts

│ ├─ 📜 analyze_by_skill.js JavaScript 121L · 4.7 KB

│ ├─ 📜 extract_log.js JavaScript 85L · 2.5 KB

│ ├─ 📜 generate_history.js JavaScript 75L · 2.5 KB

│ ├─ 📜 gep_append_event.js JavaScript 96L · 3.0 KB

│ ├─ 📜 gep_personality_report.js JavaScript 234L · 7.7 KB

│ ├─ 📜 human_report.js JavaScript 147L · 5.7 KB

│ ├─ 📜 suggest_version.js JavaScript 89L · 3.0 KB

│ └─ 📜 validate-modules.js JavaScript 8L · 437 B

├─ ▾ 📁 src

│ ├─ ▾ 📁 gep

│ │ ├─ 📜 a2a.js JavaScript 173L · 6.3 KB

│ │ ├─ 📜 a2aProtocol.js JavaScript 161L · 7.1 KB

│ │ ├─ 📜 analyzer.js JavaScript 35L · 988 B

│ │ ├─ 📜 assetCallLog.js JavaScript 130L · 3.4 KB

│ │ ├─ 📜 assets.js JavaScript 36L · 1.1 KB

│ │ ├─ 📜 assetStore.js JavaScript 353L · 13.2 KB

│ │ ├─ 📜 bridge.js JavaScript 71L · 2.0 KB

│ │ ├─ 📜 candidates.js JavaScript 183L · 6.2 KB

│ │ ├─ 📜 contentHash.js JavaScript 65L · 2.1 KB

│ │ ├─ 📜 deviceId.js JavaScript 32L · 1.0 KB

│ │ ├─ 📜 envFingerprint.js JavaScript 28L · 830 B

│ │ ├─ 📜 hubSearch.js JavaScript 11L · 532 B

│ │ ├─ 📜 llmReview.js JavaScript 15L · 609 B

│ │ ├─ 📜 memoryGraph.js JavaScript 771L · 26.9 KB

│ │ ├─ 📜 memoryGraphAdapter.js JavaScript 17L · 856 B

│ │ ├─ 📜 mutation.js JavaScript 186L · 6.7 KB

│ │ ├─ 📜 narrativeMemory.js JavaScript 108L · 3.7 KB

│ │ ├─ 📜 paths.js JavaScript 86L · 2.5 KB

│ │ ├─ 📜 personality.js JavaScript 355L · 13.2 KB

│ │ ├─ 📜 prompt.js JavaScript 566L · 22.6 KB

│ │ ├─ 📜 questionGenerator.js JavaScript 3L · 139 B

│ │ ├─ 📜 reflection.js JavaScript 127L · 4.2 KB

│ │ ├─ 📜 sanitize.js JavaScript 67L · 2.2 KB

│ │ ├─ 📜 selector.js JavaScript 285L · 10.6 KB

│ │ ├─ 📜 signals.js JavaScript 428L · 19.8 KB

│ │ ├─ 📜 skillDistiller.js JavaScript 499L · 19.5 KB

│ │ ├─ 📜 solidify.js JavaScript 1437L · 59.0 KB

│ │ ├─ 📜 strategy.js JavaScript 126L · 4.4 KB

│ │ ├─ 📜 taskReceiver.js JavaScript 9L · 517 B

│ │ └─ 📜 validationReport.js JavaScript 55L · 2.1 KB

│ ├─ ▾ 📁 ml

│ │ ├─ 📜 embeddings.js JavaScript 219L · 6.1 KB

│ │ ├─ 📜 errorClassifier.js JavaScript 137L · 4.3 KB

│ │ ├─ 📜 feedbackLoop.js JavaScript 165L · 4.7 KB

│ │ ├─ 📜 knowledgeBase.js JavaScript 144L · 4.6 KB

│ │ ├─ 📜 predictor.js JavaScript 163L · 4.7 KB

│ │ └─ 📜 trainer.js JavaScript 40L · 1.2 KB

│ ├─ ▾ 📁 ops

│ │ ├─ 📜 cleanup.js JavaScript 80L · 2.5 KB

│ │ ├─ 📜 commentary.js JavaScript 60L · 1.7 KB

│ │ ├─ 📜 index.js JavaScript 10L · 333 B

│ │ ├─ 📜 innovation.js JavaScript 67L · 3.1 KB

│ │ ├─ 📜 self_repair.js JavaScript 82L · 3.1 KB

│ │ ├─ 📜 skills_monitor.js JavaScript 143L · 5.3 KB

│ │ └─ 📜 trigger.js JavaScript 33L · 837 B

│ └─ 📜 evolve.js JavaScript 1678L · 64.6 KB

├─ ▾ 📁 test

│ ├─ 📜 contentHash.test.js JavaScript 106L · 3.5 KB

│ ├─ 📜 embeddings.test.js JavaScript 60L · 1.8 KB

│ ├─ 📜 feedbackLoop.test.js JavaScript 126L · 3.6 KB

│ ├─ 📜 knowledgeBase.test.js JavaScript 117L · 4.1 KB

│ ├─ 📜 mutation.test.js JavaScript 142L · 4.6 KB

│ ├─ 📜 predictor.test.js JavaScript 32L · 788 B

│ ├─ 📜 sanitize.test.js JavaScript 90L · 3.9 KB

│ ├─ 📜 selector.test.js JavaScript 124L · 4.1 KB

│ ├─ 📜 signals.test.js JavaScript 217L · 9.9 KB

│ ├─ 📜 skillDistiller.test.js JavaScript 486L · 16.9 KB

│ ├─ 📜 strategy.test.js JavaScript 133L · 4.8 KB

│ └─ 📜 validationReport.test.js JavaScript 148L · 4.8 KB

├─ 📜 index.js JavaScript 338L · 13.4 KB

├─ 📋 package.json JSON 27L · 942 B

├─ 📝 SECURITY.md Markdown 83L · 3.5 KB

└─ 📝 SKILL.md Markdown 123L · 5.2 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`dotenv`	`^16.4.7`	npm	否	Version not pinned (uses caret range)

安全亮点

✓ No actual credential theft or data exfiltration observed — sanitize.js actively redacts API keys, tokens, emails, and private keys from capsule payloads before any potential broadcast

✓ Comprehensive safety mechanisms: blast radius limits, ethics committee, circuit breakers, rollback on failure, LLM review gate before skill distillation

✓ Auto-update is disabled by default and requires explicit opt-in via openclaw.json — supply chain risk is acknowledged and mitigated

✓ Skill distiller strips dangerous validation commands (rm -rf /, shell expansions) before execution — rm -rf / in tests is a test case for this safety feature, not a live vulnerability

✓ Hardcoded API keys in test/sanitize.test.js are clearly fake test fixtures (sk-abcdefgh..., ghp_xxx..., AKIAIOSFODNN7EXAMPLE) used for regression testing of the redactString function

✓ Hub search, task receiver, and A2A HTTP transport are all stubbed out — local-only build confirmed by code

✓ Device ID is a randomly generated UUID stored locally, not a hardware fingerprint

✓ Environment fingerprint collects only node version, platform, and arch — no MAC addresses, hostnames, or hardware identifiers

✓ Session scope isolation prevents cross-channel/cross-project memory contamination via EVOLVER_SESSION_SCOPE

✓ EVOLVE_ALLOW_SELF_MODIFY is off by default with explicit warning 'Not recommended'

✓ No base64-encoded execution, no eval(), no obfuscation, no anti-analysis techniques