安全决策报告
token-watchdog
Undeclared shell execution via execSync found in code not mentioned in SKILL.md documentation. The skill claims to 'read .jsonl files directly' but actually executes openclaw CLI commands for alerts and agent control.
最直接的威胁证据
高危
Undeclared Shell Execution via execSync The code uses execSync() from child_process module to execute 'openclaw message send' and 'openclaw agent' commands. SKILL.md only mentions reading .jsonl files directly and does not disclose that shell commands are executed.
token-watchdog.mjs:44 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Undeclared shell execution +20
SKILL.md claims 'reads session .jsonl file directly (no API call needed)' but code uses execSync to run openclaw CLI commands
Hidden functionality +15
Agent pause functionality via 'openclaw agent -m' not mentioned in documentation
External download URL +10
Users instructed to curl script from ddaekeu3-cyber.github.io without integrity verification
最关键的证据
高危
Undeclared Shell Execution via execSync
The code uses execSync() from child_process module to execute 'openclaw message send' and 'openclaw agent' commands. SKILL.md only mentions reading .jsonl files directly and does not disclose that shell commands are executed.
token-watchdog.mjs:44 Document execSync usage in SKILL.md. Consider using openclaw SDK/API if available instead of CLI subprocess execution.
高危
Agent Control Function Not Declared
The pauseAgent() function can send messages to control the OpenClaw agent. This capability to control agent behavior is not mentioned in documentation.
token-watchdog.mjs:56 Clearly document that this tool can pause/resume the agent and what commands it sends.
中危
Remote Script Download Without Integrity Check
SKILL.md instructs users to download the script via curl from a GitHub Pages URL without recommending signature verification or checksum validation.
SKILL.md:29 Add instructions for verifying script integrity (e.g., provide SHA256 hash or use signed releases).
中危
Undeclared File Write Operations
Code writes to ~/.openclaw/workspace/memory/token-watchdog.log and token-watchdog-state.json. SKILL.md only mentions reading session files.
token-watchdog.mjs:83 Document log and state file persistence in SKILL.md.
低危
Hardcoded Telegram Target ID
Telegram target '8616468733' is hardcoded in CONFIG. While this may be expected for a personal tool, it limits flexibility and may not match user's configuration.
token-watchdog.mjs:17 Allow Telegram target configuration via environment variable or CLI argument.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 READ,WRITE
token-watchdog.mjs:writeFileSync to ~/.openclaw/workspace/memory/ 命令执行 阻止
声明 NONE
→ 推断 WRITE
token-watchdog.mjs:44 execSync for openclaw CLI commands 网络访问 通过
声明 READ
→ 推断 READ
Reads session files, sends via openclaw CLI 可疑产物与外联
中危 外部 URL
https://ddaekeu3-cyber.github.io/synapse-ai/tools/token-watchdog/token-watchdog.mjs SKILL.md:29
中危 外部 URL
https://ddaekeu3-cyber.github.io/synapse-ai/ SKILL.md:82
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| Node.js built-ins | N/A | builtin | 否 | Uses only child_process and fs modules |
| openclaw CLI | unknown | external | 否 | CLI tool invoked via execSync - security depends on openclaw tool integrity |
文件构成
3 个文件 · 420 行
JavaScript 1 个文件 · 328 行Markdown 1 个文件 · 82 行JSON 1 个文件 · 10 行
需关注文件 · 2
token-watchdog.mjs Undeclared Shell Execution via execSync · Agent Control Function Not Declared · Undeclared File Write Operations · Hardcoded Telegram Target ID
SKILL.md Remote Script Download Without Integrity Check · https://ddaekeu3-cyber.github.io/synapse-ai/tools/token-watchdog/token-watchdog.mjs · https://ddaekeu3-cyber.github.io/synapse-ai/
其他文件 · package.json
安全亮点
Core functionality (session cost monitoring) appears legitimate and useful
shellEscape() function provides basic protection against command injection
Uses fs sync operations instead of eval() or dynamic code execution
Session file reading is byte-offset based (incremental reads) - efficient approach
State persistence prevents duplicate alerts on restarts