扫描报告
10 /100
studio-agent
ClickZetta Studio integration for task, job, project, and workspace management
The studio-agent skill is a legitimate enterprise data platform integration that handles ClickZetta Studio authentication and workspace management through documented WebSocket and HTTP APIs.
可以安装
No action required. The skill operates as documented with appropriate credential handling and no malicious indicators.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Minor documentation gap on cache file writes 文档欺骗 | scripts/clickzetta-discovery.mjs:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | WRITE | ✓ 一致 | Writes to ~/.openclaw/clawdbot.json and ~/.openclaw/cache/ for credential sync a… |
| 网络访问 | READ | WRITE | ✓ 一致 | WebSocket connections to CZ_AGENT_WS_URL and HTTP POST to ClickZetta API |
| 命令执行 | WRITE | WRITE | ✓ 一致 | Executes node scripts as documented in SKILL.md |
2 项发现
中危 外部 URL 外部 URL
https://dev-api.clickzetta.com scripts/clickzetta-discovery.mjs:7 中危 外部 URL 外部 URL
https://api.clickzetta.com scripts/clickzetta-discovery.mjs:156 目录结构
6 文件 · 101.1 KB · 3620 行 JavaScript 4f · 3472L
Markdown 1f · 145L
JSON 1f · 3L
├─
▾
scripts
│ ├─
clickzetta-discovery.mjs
JavaScript
│ ├─
cz-agent-oneshot.mjs
JavaScript
│ ├─
cz-agent-proxy.mjs
JavaScript
│ └─
utils.mjs
JavaScript
├─
SKILL.md
Markdown
└─
studio-agent.config.example.json
JSON
安全亮点
✓ No credential exfiltration or suspicious outbound network requests
✓ No obfuscation techniques (base64, eval, atob) detected
✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)
✓ No reverse shell, C2, or data theft patterns
✓ All network communication targets legitimate ClickZetta API endpoints
✓ Credentials are handled exclusively through JDBC URL as documented
✓ Cache files are scoped to application-specific directories
✓ JWT token parsing is standard and only used for identity derivation
✓ WebSocket implementation uses native APIs without suspicious behavior