evolution-watcher Security Report — Suspicious | ClawSafe

45 /100

evolution-watcher

Plugin update monitoring and adaptation tool for star architecture

Skill declares read-only monitoring but contains file modification capabilities (patch application) through subprocess that contradict stated security claims.

Skill Nameevolution-watcher

Duration83.1s

Enginepi

⚠

Use with caution

Review and either remove the patch application functionality or clearly declare write/shell capabilities in SKILL.md. Consider if the FixApplier is necessary for the stated monitoring use case.

Attack Chain 6 steps

⬡

Escalation Skill presents as read-only monitoring tool in SKILL.md

SKILL.md:1

◎

Entry User runs monitor.py to check plugin updates

scripts/monitor.py:2300

⬡

Escalation Code accesses /root/.openclaw/workspace/ for registry and plugin information

scripts/monitor.py:45

⬡

Escalation DiffAnalyzer clones Git repos and runs git commands via subprocess

scripts/diff_analyzer.py:75

⬡

Escalation FixApplier.apply_fix() applies patches to adapter files via subprocess

scripts/adapter_auto_fix.py:760

◉

Impact Files in /root/.openclaw/workspace/integration/adapter/ modified without clear user consent

scripts/adapter_auto_fix.py:771

Findings 5 items

Severity	Finding	Location
High	Documentation mismatch - file modification not declared Doc Mismatch SKILL.md states '只读操作：不执行任何自动升级' (read-only operations: do not execute any auto-upgrade) but the FixApplier class in adapter_auto_fix.py applies patches to adapter files using subprocess, enabling file modifications. `🔐 零自动升级：所有升级操作需手动执行 🔐 只读操作：仅调用信息查询命令，不修改系统` → Either remove the FixApplier.patch application functionality or update SKILL.md to declare filesystem:WRITE and shell:WRITE capabilities.	`SKILL.md:1`
High	Undeclared shell execution via patch command RCE adapter_auto_fix.py:760-790 contains FixApplier.apply_fix() that executes 'patch' command via subprocess to modify files in the filesystem, which is not declared in SKILL.md `subprocess.run(["patch", str(file_path), "-i", tmp_path], capture_output=True, text=True, timeout=30)` → Declare shell:WRITE capability if patch application is intentional, or remove the patch execution code.	`scripts/adapter_auto_fix.py:760`
Medium	Script generation capability not documented Doc Mismatch UpgradeScriptGenerator creates executable bash and python scripts but this functionality is not mentioned in SKILL.md `def generate_upgrade_script(self, prioritized_plugins: List[dict], output_path: str = None) -> dict:` → Document the script generation capability if intentional, or remove the functionality.	`scripts/monitor.py:1650`
Low	Hardcoded placeholder password Sensitive Access email_sender.py:47 contains placeholder password='your-app-password'. While this is a placeholder, it demonstrates credential handling patterns that could be exploited if actual credentials are stored similarly. `self.sender_password = 'your-app-password' # 需要用户替换` → Remove default placeholder credentials and require environment variables to be set.	`scripts/email_sender.py:47`
Low	Environment variable access for credentials Credential Theft email_sender.py reads EVOLUTION_WATCHER_SENDER_EMAIL and EVOLUTION_WATCHER_SENDER_PASSWORD from environment. If these contain sensitive tokens, they could be accessed. `self.sender_email = sender_email or os.environ.get('EVOLUTION_WATCHER_SENDER_EMAIL')` → Ensure credentials are not exfiltrated - current code only uses them for SMTP login, which appears legitimate.	`scripts/email_sender.py:37`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✗ Violation	adapter_auto_fix.py:771 uses subprocess.run(['patch', ...]) to modify adapter fi…
Shell	`READ`	`WRITE`	✗ Violation	monitor.py:28 uses subprocess.run for 'clawhub' commands; adapter_auto_fix.py:76…
Network	`READ`	`READ`	✓ Aligned	Uses network only for version checking via clawhub CLI
Environment	`NONE`	`READ`	✗ Violation	email_sender.py:37-38 reads EVOLUTION_WATCHER_SENDER_EMAIL/PASSWORD

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

password = "your-app-password"

scripts/email_sender.py:47

📧

Info Email 邮箱地址

[email protected]

scripts/email_sender.py:25

📧

Info Email 邮箱地址

[email protected]

scripts/email_sender.py:44

File Tree

36 files · 294.4 KB · 7784 lines

Python 6f · 5165L JSON 3f · 1262L Markdown 26f · 1139L YAML 1f · 218L

├─ ▾ 📁 config

│ ├─ 📋 fix_templates.yaml YAML 218L · 8.0 KB

│ └─ 📋 monitor_sources.json JSON 38L · 694 B

├─ ▾ 📁 reports

│ ├─ 📋 summary.json JSON 5L · 128 B

│ ├─ 📝 updates_20260317_222549.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260317_222850.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260317_235919.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_001141.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_001912.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_003257.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_005713.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_010915.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_014522.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_015842.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_021254.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_021408.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_024436.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_065840.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_071011.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_074256.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_103409.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_142158.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_143336.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_162350.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_172351.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_182333.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_192605.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260319_062644.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260319_071143.md Markdown 17L · 526 B

│ └─ 📋 updates_log.json JSON 1219L · 32.6 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 adapter_auto_fix.py Python 1414L · 55.0 KB

│ ├─ 🐍 diff_analyzer.py Python 412L · 15.3 KB

│ ├─ 🐍 email_sender.py Python 183L · 6.2 KB

│ ├─ 🐍 monitor.py Python 2879L · 131.2 KB

│ └─ 🐍 test_end_to_end.py Python 270L · 9.9 KB

├─ 📝 SKILL.md Markdown 180L · 6.3 KB

└─ 🐍 test_b4.py Python 7L · 202 B

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`pyyaml`	`unpinned`	import yaml	No	Used for fix_templates.yaml parsing
`markdown`	`unpinned`	import markdown	No	Optional dependency for email formatting

Security Positives

✓ Skill includes backup functionality before applying patches (sandbox_validate creates temp copies)

✓ Includes health check verification after fix application

✓ Dry-run mode available in UpgradeScriptGenerator

✓ Reports are generated for human review before execution

✓ Authorization flow mentioned for fix application (apply_fix requires 'authorized' parameter)

Scan Report

Attack Chain 6 steps

Findings 5 items

File Tree

Dependencies 2 items

Security Positives