扫描报告
5 /100
ocas-corvus
Corvus: exploratory pattern analysis engine for the system knowledge graph and skill journals. Detects routines, emerging interests, anomalies, stalled threads, and cross-domain opportunities.
Corvus is a purely declarative skill containing only documentation and JSON metadata; no executable scripts exist. The flagged base64 usage is standard GitHub API response decoding in the documented self-update mechanism, not code obfuscation.
可以安装
No action needed. The skill is safe to use as-is.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | skill.json: reads ~/openclaw/data/ocas-corvus/, ~/openclaw/journals/*/, chronicl… |
| 文件系统 | WRITE | WRITE | ✓ 一致 | skill.json: writes ~/openclaw/data/ocas-corvus/, ~/openclaw/journals/ocas-corvus… |
| 命令执行 | NONE | NONE | — | No shell commands in any file. Self-update uses gh cli, documented and scoped to… |
| 网络访问 | NONE | READ | ✓ 一致 | Self-update fetches remote version from GitHub API — documented in SKILL.md |
1 严重 2 项发现
严重 编码执行 Base64 编码执行(代码混淆)
base64 -d SKILL.md:240 提示 邮箱 邮箱地址
[email protected] skill.json:6 目录结构
7 文件 · 24.3 KB · 623 行 Markdown 6f · 604L
JSON 1f · 19L
├─
▾
references
│ ├─
curiosity_engine.md
Markdown
│ ├─
journal.md
Markdown
│ ├─
pattern_engines.md
Markdown
│ └─
schemas.md
Markdown
├─
README.md
Markdown
├─
skill.json
JSON
└─
SKILL.md
Markdown
安全亮点
✓ No executable scripts or code files — entire package is declarative documentation and JSON
✓ All filesystem access is explicitly declared and scoped to specific project directories
✓ Self-update mechanism is fully documented with source verification via gh CLI
✓ base64 -d at SKILL.md:240 decodes a GitHub API JSON response (standard format), not hidden code
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)
✓ No credential harvesting or environment variable iteration
✓ No obfuscation techniques — all Markdown files are human-readable
✓ No cron/scheduled task hooks beyond documented background jobs registered via openclaw CLI