中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:19 小时前 重新扫描
45 /100
evolution-watcher
Plugin update monitoring and adaptation tool for star architecture
Skill declares read-only monitoring but contains file modification capabilities (patch application) through subprocess that contradict stated security claims.
技能名称evolution-watcher
分析耗时83.1s
引擎pi
谨慎使用
Review and either remove the patch application functionality or clearly declare write/shell capabilities in SKILL.md. Consider if the FixApplier is necessary for the stated monitoring use case.

攻击链 6 步

提权 Skill presents as read-only monitoring tool in SKILL.md
SKILL.md:1
入口 User runs monitor.py to check plugin updates
scripts/monitor.py:2300
提权 Code accesses /root/.openclaw/workspace/ for registry and plugin information
scripts/monitor.py:45
提权 DiffAnalyzer clones Git repos and runs git commands via subprocess
scripts/diff_analyzer.py:75
提权 FixApplier.apply_fix() applies patches to adapter files via subprocess
scripts/adapter_auto_fix.py:760
影响 Files in /root/.openclaw/workspace/integration/adapter/ modified without clear user consent
scripts/adapter_auto_fix.py:771

安全发现 5 项

严重性 安全发现 位置
高危
Documentation mismatch - file modification not declared 文档欺骗
SKILL.md states '只读操作:不执行任何自动升级' (read-only operations: do not execute any auto-upgrade) but the FixApplier class in adapter_auto_fix.py applies patches to adapter files using subprocess, enabling file modifications.
🔐 **零自动升级**:所有升级操作需手动执行
🔐 **只读操作**:仅调用信息查询命令,不修改系统
→ Either remove the FixApplier.patch application functionality or update SKILL.md to declare filesystem:WRITE and shell:WRITE capabilities.
 SKILL.md:1
高危
Undeclared shell execution via patch command 代码执行
adapter_auto_fix.py:760-790 contains FixApplier.apply_fix() that executes 'patch' command via subprocess to modify files in the filesystem, which is not declared in SKILL.md
subprocess.run(["patch", str(file_path), "-i", tmp_path], capture_output=True, text=True, timeout=30)
→ Declare shell:WRITE capability if patch application is intentional, or remove the patch execution code.
 scripts/adapter_auto_fix.py:760
中危
Script generation capability not documented 文档欺骗
UpgradeScriptGenerator creates executable bash and python scripts but this functionality is not mentioned in SKILL.md
def generate_upgrade_script(self, prioritized_plugins: List[dict], output_path: str = None) -> dict:
→ Document the script generation capability if intentional, or remove the functionality.
 scripts/monitor.py:1650
低危
Hardcoded placeholder password 敏感访问
email_sender.py:47 contains placeholder password='your-app-password'. While this is a placeholder, it demonstrates credential handling patterns that could be exploited if actual credentials are stored similarly.
self.sender_password = 'your-app-password'  # 需要用户替换
→ Remove default placeholder credentials and require environment variables to be set.
 scripts/email_sender.py:47
低危
Environment variable access for credentials 凭证窃取
email_sender.py reads EVOLUTION_WATCHER_SENDER_EMAIL and EVOLUTION_WATCHER_SENDER_PASSWORD from environment. If these contain sensitive tokens, they could be accessed.
self.sender_email = sender_email or os.environ.get('EVOLUTION_WATCHER_SENDER_EMAIL')
→ Ensure credentials are not exfiltrated - current code only uses them for SMTP login, which appears legitimate.
 scripts/email_sender.py:37
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✗ 越权 adapter_auto_fix.py:771 uses subprocess.run(['patch', ...]) to modify adapter fi…
命令执行 READ WRITE ✗ 越权 monitor.py:28 uses subprocess.run for 'clawhub' commands; adapter_auto_fix.py:76…
网络访问 READ READ ✓ 一致 Uses network only for version checking via clawhub CLI
环境变量 NONE READ ✗ 越权 email_sender.py:37-38 reads EVOLUTION_WATCHER_SENDER_EMAIL/PASSWORD
1 高危 3 项发现
🔑
高危 API 密钥 疑似硬编码凭证
password = "your-app-password"
scripts/email_sender.py:47
📧
提示 邮箱 邮箱地址
[email protected]
scripts/email_sender.py:25
📧
提示 邮箱 邮箱地址
[email protected]
scripts/email_sender.py:44

目录结构

36 文件 · 294.4 KB · 7784 行
Python 6f · 5165L JSON 3f · 1262L Markdown 26f · 1139L YAML 1f · 218L
├─ 📁 config
│ ├─ 📋 fix_templates.yaml YAML 218L · 8.0 KB
│ └─ 📋 monitor_sources.json JSON 38L · 694 B
├─ 📁 reports
│ ├─ 📋 summary.json JSON 5L · 128 B
│ ├─ 📝 updates_20260317_222549.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260317_222850.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260317_235919.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_001141.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_001912.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_003257.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_005713.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_010915.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_014522.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_015842.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_021254.md Markdown 16L · 475 B
│ ├─ 📝 updates_20260318_021408.md Markdown 126L · 3.8 KB
│ ├─ 📝 updates_20260318_024436.md Markdown 126L · 3.8 KB
│ ├─ 📝 updates_20260318_065840.md Markdown 126L · 3.8 KB
│ ├─ 📝 updates_20260318_071011.md Markdown 126L · 3.8 KB
│ ├─ 📝 updates_20260318_074256.md Markdown 126L · 3.8 KB
│ ├─ 📝 updates_20260318_103409.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260318_142158.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260318_143336.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260318_162350.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260318_172351.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260318_182333.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260318_192605.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260319_062644.md Markdown 17L · 526 B
│ ├─ 📝 updates_20260319_071143.md Markdown 17L · 526 B
│ └─ 📋 updates_log.json JSON 1219L · 32.6 KB
├─ 📁 scripts
│ ├─ 🐍 adapter_auto_fix.py Python 1414L · 55.0 KB
│ ├─ 🐍 diff_analyzer.py Python 412L · 15.3 KB
│ ├─ 🐍 email_sender.py Python 183L · 6.2 KB
│ ├─ 🐍 monitor.py Python 2879L · 131.2 KB
│ └─ 🐍 test_end_to_end.py Python 270L · 9.9 KB
├─ 📝 SKILL.md Markdown 180L · 6.3 KB
└─ 🐍 test_b4.py Python 7L · 202 B

依赖分析 2 项

包名版本来源已知漏洞备注
pyyaml unpinned import yaml Used for fix_templates.yaml parsing
markdown unpinned import markdown Optional dependency for email formatting

安全亮点

✓ Skill includes backup functionality before applying patches (sandbox_validate creates temp copies)
✓ Includes health check verification after fix application
✓ Dry-run mode available in UpgradeScriptGenerator
✓ Reports are generated for human review before execution
✓ Authorization flow mentioned for fix application (apply_fix requires 'authorized' parameter)