安全决策报告

evolution-watcher

Name: evolution-watcher 可信度判断报告
Item: evolution-watcher
Rating: 55
Author: ClawSafe

Skill declares read-only monitoring but contains file modification capabilities (patch application) through subprocess that contradict stated security claims.

安装决策优先来源: 手动上传扫描时间: 2026/4/5

文件 36

IOC 3

越权项 3

发现 5

最直接的威胁证据

Skill presents as read-only monitoring tool in SKILL.md deception · SKILL.md

User runs monitor.py to check plugin updates 初始入口 · scripts/monitor.py

Code accesses /root/.openclaw/workspace/ for registry and plugin information recon · scripts/monitor.py

为什么得出这个结论

3/4 个维度触发

阻止

声明与实际能力

发现 3 项声明之外的能力或越权行为。

阻止

隐藏执行与外联

提取到 1 个高危 IOC 或外联信号。

阻止

攻击链与高危发现

报告包含 6 步攻击链，另有 2 项高危或严重发现。

通过

依赖与供应链卫生

依赖结构存在，但暂未看到明显高危告警。

攻击链

Skill presents as read-only monitoring tool in SKILL.md

deception · SKILL.md:1

User runs monitor.py to check plugin updates

初始入口 · scripts/monitor.py:2300

Code accesses /root/.openclaw/workspace/ for registry and plugin information

recon · scripts/monitor.py:45

DiffAnalyzer clones Git repos and runs git commands via subprocess

权限提升 · scripts/diff_analyzer.py:75

FixApplier.apply_fix() applies patches to adapter files via subprocess

权限提升 · scripts/adapter_auto_fix.py:760

Files in /root/.openclaw/workspace/integration/adapter/ modified without clear user consent

最终危害 · scripts/adapter_auto_fix.py:771

风险分是怎么被拉高的

Documentation mismatch +25

SKILL.md claims '只读操作' (read-only) and '零自动升级' (zero auto-upgrade) but adapter_auto_fix.py contains FixApplier that applies patches via subprocess

Undeclared shell execution +15

The FixApplier.apply_fix() uses subprocess.run(['patch', ...]) to modify files, which is not declared in SKILL.md

Script generation capability +10

UpgradeScriptGenerator creates executable bash/python scripts based on detected updates

Hardcoded placeholder credentials +5

email_sender.py:47 contains password='your-app-password' placeholder - low risk but indicates credential handling patterns

最关键的证据

高危文档欺骗

Documentation mismatch - file modification not declared

SKILL.md states '只读操作：不执行任何自动升级' (read-only operations: do not execute any auto-upgrade) but the FixApplier class in adapter_auto_fix.py applies patches to adapter files using subprocess, enabling file modifications.

SKILL.md:1

Either remove the FixApplier.patch application functionality or update SKILL.md to declare filesystem:WRITE and shell:WRITE capabilities.

高危代码执行

Undeclared shell execution via patch command

adapter_auto_fix.py:760-790 contains FixApplier.apply_fix() that executes 'patch' command via subprocess to modify files in the filesystem, which is not declared in SKILL.md

scripts/adapter_auto_fix.py:760

Declare shell:WRITE capability if patch application is intentional, or remove the patch execution code.

中危文档欺骗

Script generation capability not documented

UpgradeScriptGenerator creates executable bash and python scripts but this functionality is not mentioned in SKILL.md

scripts/monitor.py:1650

Document the script generation capability if intentional, or remove the functionality.

低危敏感访问

Hardcoded placeholder password

email_sender.py:47 contains placeholder password='your-app-password'. While this is a placeholder, it demonstrates credential handling patterns that could be exploited if actual credentials are stored similarly.

scripts/email_sender.py:47

Remove default placeholder credentials and require environment variables to be set.

低危凭证窃取

Environment variable access for credentials

email_sender.py reads EVOLUTION_WATCHER_SENDER_EMAIL and EVOLUTION_WATCHER_SENDER_PASSWORD from environment. If these contain sensitive tokens, they could be accessed.

scripts/email_sender.py:37

Ensure credentials are not exfiltrated - current code only uses them for SMTP login, which appears legitimate.

声明能力 vs 实际能力

文件系统 阻止

声明 READ

→

推断 WRITE

adapter_auto_fix.py:771 uses subprocess.run(['patch', ...]) to modify adapter files

命令执行 阻止

声明 READ

→

推断 WRITE

monitor.py:28 uses subprocess.run for 'clawhub' commands; adapter_auto_fix.py:760 applies patches to files

网络访问 通过

声明 READ

→

推断 READ

Uses network only for version checking via clawhub CLI

环境变量 阻止

声明 NONE

→

推断 READ

email_sender.py:37-38 reads EVOLUTION_WATCHER_SENDER_EMAIL/PASSWORD

可疑产物与外联

高危 API 密钥

password = "your-app-password"

scripts/email_sender.py:47

提示邮箱

[email protected]

scripts/email_sender.py:25

提示邮箱

[email protected]

scripts/email_sender.py:44

依赖与供应链

包名	版本	来源	漏洞	备注
pyyaml	`unpinned`	import yaml	否	Used for fix_templates.yaml parsing
markdown	`unpinned`	import markdown	否	Optional dependency for email formatting

文件构成

36 个文件 · 7784 行

Python 6 个文件 · 5165 行JSON 3 个文件 · 1262 行Markdown 26 个文件 · 1139 行YAML 1 个文件 · 218 行

需关注文件 · 4

scripts/monitor.py Python · 2879 行

Script generation capability not documented

scripts/adapter_auto_fix.py Python · 1414 行

Undeclared shell execution via patch command

SKILL.md Markdown · 180 行

Documentation mismatch - file modification not declared

scripts/email_sender.py Python · 183 行

Hardcoded placeholder password · Environment variable access for credentials · password = "your-app-password" · [email protected] · [email protected]

其他文件 · updates_log.json · diff_analyzer.py · test_end_to_end.py · fix_templates.yaml · updates_20260318_021408.md · updates_20260318_024436.md +2

36 文件 · 294.4 KB · 7784 行

Python 6f · 5165LJSON 3f · 1262LMarkdown 26f · 1139LYAML 1f · 218L

├─ ▾ 📁 config

│ ├─ 📋 fix_templates.yaml YAML 218L · 8.0 KB

│ └─ 📋 monitor_sources.json JSON 38L · 694 B

├─ ▾ 📁 reports

│ ├─ 📋 summary.json JSON 5L · 128 B

│ ├─ 📝 updates_20260317_222549.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260317_222850.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260317_235919.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_001141.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_001912.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_003257.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_005713.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_010915.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_014522.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_015842.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_021254.md Markdown 16L · 475 B

│ ├─ 📝 updates_20260318_021408.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_024436.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_065840.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_071011.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_074256.md Markdown 126L · 3.8 KB

│ ├─ 📝 updates_20260318_103409.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_142158.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_143336.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_162350.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_172351.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_182333.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260318_192605.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260319_062644.md Markdown 17L · 526 B

│ ├─ 📝 updates_20260319_071143.md Markdown 17L · 526 B

│ └─ 📋 updates_log.json JSON 1219L · 32.6 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 adapter_auto_fix.py Python 1414L · 55.0 KB

│ ├─ 🐍 diff_analyzer.py Python 412L · 15.3 KB

│ ├─ 🐍 email_sender.py Python 183L · 6.2 KB

│ ├─ 🐍 monitor.py Python 2879L · 131.2 KB

│ └─ 🐍 test_end_to_end.py Python 270L · 9.9 KB

├─ 📝 SKILL.md Markdown 180L · 6.3 KB

└─ 🐍 test_b4.py Python 7L · 202 B

安全亮点

Skill includes backup functionality before applying patches (sandbox_validate creates temp copies)

Includes health check verification after fix application

Dry-run mode available in UpgradeScriptGenerator

Reports are generated for human review before execution

Authorization flow mentioned for fix application (apply_fix requires 'authorized' parameter)