中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 10/100
Last scan:1 day ago Rescan
10 /100
studio-agent
ClickZetta Studio integration for task, job, project, and workspace management
The studio-agent skill is a legitimate enterprise data platform integration that handles ClickZetta Studio authentication and workspace management through documented WebSocket and HTTP APIs.
Skill Namestudio-agent
Duration28.8s
Enginepi
Safe to install
No action required. The skill operates as documented with appropriate credential handling and no malicious indicators.

Findings 1 items

Severity Finding Location
Low
Minor documentation gap on cache file writes Doc Mismatch
SKILL.md does not explicitly mention that workspace state and discovery data are persisted to ~/.openclaw/cache/, though this behavior is documented in code comments and is essential to the caching mechanism.
// Cache management functions
→ Add a brief note in SKILL.md mentioning local caching behavior for workspace state
 scripts/clickzetta-discovery.mjs:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned Writes to ~/.openclaw/clawdbot.json and ~/.openclaw/cache/ for credential sync a…
Network READ WRITE ✓ Aligned WebSocket connections to CZ_AGENT_WS_URL and HTTP POST to ClickZetta API
Shell WRITE WRITE ✓ Aligned Executes node scripts as documented in SKILL.md
2 findings
🔗
Medium External URL 外部 URL
https://dev-api.clickzetta.com
scripts/clickzetta-discovery.mjs:7
🔗
Medium External URL 外部 URL
https://api.clickzetta.com
scripts/clickzetta-discovery.mjs:156

File Tree

6 files · 101.1 KB · 3620 lines
JavaScript 4f · 3472L Markdown 1f · 145L JSON 1f · 3L
├─ 📁 scripts
│ ├─ 📜 clickzetta-discovery.mjs JavaScript 1209L · 34.0 KB
│ ├─ 📜 cz-agent-oneshot.mjs JavaScript 676L · 19.4 KB
│ ├─ 📜 cz-agent-proxy.mjs JavaScript 1507L · 38.5 KB
│ └─ 📜 utils.mjs JavaScript 80L · 2.0 KB
├─ 📝 SKILL.md Markdown 145L · 7.0 KB
└─ 📋 studio-agent.config.example.json JSON 3L · 111 B

Security Positives

✓ No credential exfiltration or suspicious outbound network requests
✓ No obfuscation techniques (base64, eval, atob) detected
✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)
✓ No reverse shell, C2, or data theft patterns
✓ All network communication targets legitimate ClickZetta API endpoints
✓ Credentials are handled exclusively through JDBC URL as documented
✓ Cache files are scoped to application-specific directories
✓ JWT token parsing is standard and only used for identity derivation
✓ WebSocket implementation uses native APIs without suspicious behavior