扫描报告
20 /100
Self-Check
系统自检工具 - OpenClaw environment diagnostic tool
This is a legitimate system self-check tool for OpenClaw. It performs read-only diagnostics via subprocess but makes no unauthorized modifications or data exfiltration.
可以安装
Document shell:WRITE permission requirement in SKILL.md. Consider replacing the curl|bash suggestion in fix output with safer manual instructions.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Shell permission not declared 文档欺骗 | SKILL.md:1 |
| 低危 | API key presence check via env iteration 敏感访问 | scripts/self_check.py:265 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | NONE | WRITE | ✗ 越权 | scripts/self_check.py:78 - subprocess.run() for node/npm/pgrep checks |
| 文件系统 | READ | READ | ✓ 一致 | Scripts only read configs at known paths |
| 环境变量 | NONE | READ | ✓ 一致 | scripts/self_check.py:265 - checks os.environ for API key names |
1 严重 1 项发现
严重 危险命令 危险 Shell 命令
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash scripts/self_check.py:126 目录结构
2 文件 · 19.8 KB · 596 行 Python 1f · 497L
Markdown 1f · 99L
├─
▾
scripts
│ └─
self_check.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ Core principle correctly implemented: only checks/reports/suggests, never auto-fixes
✓ No credential exfiltration - API keys checked only for presence, values never read or transmitted
✓ No network requests to external IPs from the script itself
✓ No base64, eval, obfuscation, or anti-analysis techniques
✓ Remote curl|bash is only in fix suggestion text, not executed
✓ All subprocess commands are benign diagnostic commands (node --version, pgrep, ss, etc.)
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ SKILL.md core principle statement is honest and accurately describes behavior