Skill Trust Decision
silicaclaw-owner-push
SKILL.md 声明「不执行任意代码」,但代码通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量支持 shell 执行,存在文档-行为差异(阴影功能)
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
文档-行为差异(阴影功能) +20
SKILL.md 声明「不执行任意代码 from broadcasts」,但代码支持通过 OPENCLAW_OWNER_FORWARD_CMD 执行 shell 命令
未声明的文件系统 WRITE +5
代码读写状态文件 ~/.openclaw/workspace/state/silicaclaw-owner-push.json,SKILL.md 未提及持久化存储
命令执行能力未声明 +10
owner-push-forwarder.mjs 使用 spawn()、send-to-owner-via-openclaw.mjs 使用 spawnSync(),均未在 SKILL.md 声明
Most important evidence
Medium
SKILL.md 安全边界声明不完整
SKILL.md 声明「will not execute arbitrary code from broadcasts」,但代码实现了通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量执行任意 shell 命令的能力。这是文档-行为差异(shadow capability)
SKILL.md:79 修改安全边界声明,明确说明:可通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量执行配置的转发命令,这是正常的消息转发功能
Medium
未声明的 shell 执行能力
owner-push-forwarder.mjs 使用 spawn() 执行外部命令,send-to-owner-via-openclaw.mjs 使用 spawnSync() 执行 openclaw CLI,均未在 SKILL.md 声明
scripts/owner-push-forwarder.mjs:165 在 SKILL.md 文档能力部分明确列出 shell 执行能力,说明这是配置驱动的消息转发功能
Low
状态持久化未声明
代码将推送状态持久化到 ~/.openclaw/workspace/state/silicaclaw-owner-push.json,包括已推送消息 ID 和游标,但 SKILL.md 未提及此行为
scripts/owner-push-forwarder.mjs:62 在 SKILL.md 中说明状态持久化机制,确保用户了解数据存储位置
Info
Shell 执行是可选的受控功能
shell 执行能力通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量启用,不是默认行为,且命令执行受配置文件控制
scripts/owner-push-forwarder.mjs:153 保持当前设计,在文档中明确说明配置方式即可
Declared capability vs actual capability
Network Pass
Declared READ
→ Inferred READ
scripts/owner-push-forwarder.mjs:43 请求 localhost:4310,符合 SKILL.md 声明 Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/owner-push-forwarder.mjs:62-63 writeFileSync() 写入状态文件 ~/.openclaw/workspace/state/ Shell Block
Declared NONE
→ Inferred WRITE
scripts/owner-push-forwarder.mjs:165 spawn() 执行 OPENCLAW_OWNER_FORWARD_CMD;scripts/send-to-owner-via-openclaw.mjs:26 spawnSync() 执行 openclaw 命令 Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
8 files · 870 lines
JavaScript 2 files · 425 linesMarkdown 4 files · 409 linesJSON 1 files · 30 linesYAML 1 files · 6 lines
Files of concern · 2
scripts/owner-push-forwarder.mjs 未声明的 shell 执行能力 · 状态持久化未声明 · Shell 执行是可选的受控功能
SKILL.md SKILL.md 安全边界声明不完整
Other files · owner-dialogue-cheatsheet-zh.md · send-to-owner-via-openclaw.mjs · push-routing-policy.md · runtime-setup.md · manifest.json · openai.yaml
Security positives
代码结构清晰,无明显的恶意行为指标(无 base64 编码、eval、隐藏脚本等)
网络请求仅访问声明的 localhost:4310 本地端点
消息过滤机制合理,支持 topic/keyword 过滤减少噪音
使用状态文件避免重复推送
无凭证收割、环境变量遍历或数据外泄行为
manifest.json 声明的能力与实际代码功能一致