中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:1 天前 重新扫描
25 /100
ratemyclaw
Score your OpenClaw agent setup against similar agents
This is a legitimate workspace-scoring tool with transparent data handling. The main concern is unpinned dependencies and unverified model downloads, but no malicious behavior or credential theft was found.
技能名称ratemyclaw
分析耗时37.1s
引擎pi
可以安装
Pin sentence-transformers to a specific version and consider adding model hash verification for production use.

安全发现 3 项

严重性 安全发现 位置
中危
Unpinned sentence-transformers dependency 供应链
SKILL.md instructs `pip install sentence-transformers` without version pinning. This allows a malicious version to be installed in the future.
pip install sentence-transformers
→ Pin to a specific version: pip install sentence-transformers==2.7.0
 SKILL.md:42
低危
Model download without integrity verification 供应链
The script downloads the all-MiniLM-L6-v2 model (~80MB) from HuggingFace Hub without hash verification. If the model server is compromised, a malicious model could be executed locally.
model = SentenceTransformer(EMBEDDING_MODEL)
→ Add model hash verification: SentenceTransformer(EMBEDDING_MODEL, model_kwargs={'cache_dir': cache, 'use_safetensors': True})
 scripts/submit_profile.py:95
低危
Scans .secrets directory for file names 敏感访问
The script scans the .secrets directory and records file names. While it does NOT read secret contents (only names), this could reveal existence of credentials to an external service.
elif subdir == '.secrets': signals['secrets'] = [f.name for f in items]
→ This is documented behavior and reasonable for the use case. No action required.
 scripts/profile_generator.py:227
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 profile_generator.py scans workspace with read-only operations
网络访问 WRITE WRITE ✓ 一致 submit_profile.py makes POST requests to ratemyclaw.com
命令执行 NONE NONE No subprocess or shell execution found
环境变量 READ READ ✓ 一致 Reads RATEMYCLAW_API_KEY from os.environ
技能调用 NONE NONE No skill invocation detected
剪贴板 NONE NONE No clipboard access found
3 项发现
🔗
中危 外部 URL 外部 URL
https://ratemyclaw.com**
README.md:7
🔗
中危 外部 URL 外部 URL
https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2
README.md:22
🔗
中危 外部 URL 外部 URL
https://ratemyclaw.com
SKILL.md:7

目录结构

5 文件 · 39.5 KB · 1147 行
Python 2f · 732L JSON 1f · 259L Markdown 2f · 156L
├─ 📁 references
│ └─ 📋 taxonomy.json JSON 259L · 4.6 KB
├─ 📁 scripts
│ ├─ 🐍 profile_generator.py Python 539L · 22.6 KB
│ └─ 🐍 submit_profile.py Python 193L · 6.3 KB
├─ 📝 README.md Markdown 63L · 2.2 KB
└─ 📝 SKILL.md Markdown 93L · 3.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
sentence-transformers * pip Version not pinned - supply chain risk

安全亮点

✓ Embedding generation happens locally - raw text never leaves the machine
✓ API key is protected with chmod 600 after creation
✓ No raw file contents are transmitted, only taxonomy tags
✓ User confirmation is required before generating API key
✓ No shell execution (subprocess) detected
✓ No credential theft beyond the tool's own API key
✓ No base64 encoding, obfuscation, or suspicious patterns
✓ Good documentation with clear data flow explanation
✓ Secrets directory scanning only records names, not contents