中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
agent-dream
Nightly memory consolidation and self-reflection for OpenClaw agents. Reviews sessions, organizes memories, prunes stale info, and reflects on its own behavior.
agent-dream is a well-documented, local-only memory consolidation skill with no network, shell, or credential access, clean filesystem scope, and strong built-in safety rails.
技能名称agent-dream
分析耗时30.6s
引擎pi
可以安装
Approve for use. The skill is transparent, scoped to local memory management, and implements multiple safety mechanisms.

安全发现 1 项

严重性 安全发现 位置
低危
Shell permission declared as WRITE but effectively READ-ONLY in practice 文档欺骗
SKILL.md states 'bash is restricted to read-only commands' during dreams, but the capability model maps to shell:WRITE. This is a minor documentation inconsistency — in practice bash is only used for read-only operations, consistent with the documentation text. No security impact.
During a dream, bash is restricted to read-only commands (ls, find, grep, cat, stat, wc, head, tail)
→ Clarify the capability map entry: shell should be READ, not WRITE, to accurately reflect the documented restriction.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ+WRITE READ+WRITE ✓ 一致 setup.js uses fs.readdirSync, fs.writeFileSync, fs.mkdirSync — scoped to memory/…
网络访问 NONE NONE setup.js uses only Node.js fs/path; zero HTTP/net modules imported
命令执行 WRITE (documentation lists as available) READ-ONLY ✓ 一致 SKILL.md declares 'bash is restricted to read-only commands' — so actual shell a…
环境变量 NONE NONE setup.js never reads process.env; security docs explicitly state no env sniffing
技能调用 NONE NONE No skill invocation found in code
剪贴板 NONE NONE No clipboard access in any file
浏览器 NONE NONE No browser/DOM access — server-side Node.js only
数据库 NONE NONE No database access in any file
3 项发现
🔗
中危 外部 URL 外部 URL
https://clawhub.com/u/ahaaiclub
README.md:102
🔗
中危 外部 URL 外部 URL
https://ahaai.ai
README.md:104
🔗
中危 外部 URL 外部 URL
https://console.example.com
references/memory-types.md:45

目录结构

4 文件 · 21.6 KB · 546 行
Markdown 3f · 374L JavaScript 1f · 172L
├─ 📁 references
│ └─ 📝 memory-types.md Markdown 57L · 2.7 KB
├─ 📁 scripts
│ └─ 📜 setup.js JavaScript 172L · 5.7 KB
├─ 📝 README.md Markdown 104L · 4.3 KB
└─ 📝 SKILL.md Markdown 213L · 8.9 KB

安全亮点

✓ Zero network calls — explicitly declared and verified in code
✓ Zero shell execution in setup.js — only fs/path Node.js standard library
✓ No environment variable or credential access
✓ No external dependencies (no package.json, no requirements.txt) — no supply chain risk
✓ Strong safety rails: 2-pass deletion, backup before changes, >50% change block, rollback on failure
✓ Scope explicitly limited to memory/, MEMORY.md, LEARN.md, dreams/ — no sensitive path access (~/.ssh, ~/.aws, etc.)
✓ No obfuscation — all code is plain, readable JavaScript
✓ Documentation is thorough and accurately describes behavior