Scan Report
20 /100
Self-Check
系统自检工具 - OpenClaw environment diagnostic tool
This is a legitimate system self-check tool for OpenClaw. It performs read-only diagnostics via subprocess but makes no unauthorized modifications or data exfiltration.
Safe to install
Document shell:WRITE permission requirement in SKILL.md. Consider replacing the curl|bash suggestion in fix output with safer manual instructions.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Shell permission not declared Doc Mismatch | SKILL.md:1 |
| Low | API key presence check via env iteration Sensitive Access | scripts/self_check.py:265 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | NONE | WRITE | ✗ Violation | scripts/self_check.py:78 - subprocess.run() for node/npm/pgrep checks |
| Filesystem | READ | READ | ✓ Aligned | Scripts only read configs at known paths |
| Environment | NONE | READ | ✓ Aligned | scripts/self_check.py:265 - checks os.environ for API key names |
1 Critical 1 findings
Critical Dangerous Command 危险 Shell 命令
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash scripts/self_check.py:126 File Tree
2 files · 19.8 KB · 596 lines Python 1f · 497L
Markdown 1f · 99L
├─
▾
scripts
│ └─
self_check.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ Core principle correctly implemented: only checks/reports/suggests, never auto-fixes
✓ No credential exfiltration - API keys checked only for presence, values never read or transmitted
✓ No network requests to external IPs from the script itself
✓ No base64, eval, obfuscation, or anti-analysis techniques
✓ Remote curl|bash is only in fix suggestion text, not executed
✓ All subprocess commands are benign diagnostic commands (node --version, pgrep, ss, etc.)
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ SKILL.md core principle statement is honest and accurately describes behavior