中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 35/100
Last scan:2 days ago Rescan
35 /100
silicaclaw-owner-push
Monitor SilicaClaw public broadcasts and push owner-relevant summaries through OpenClaw's native owner channel
SKILL.md 声明「不执行任意代码」,但代码通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量支持 shell 执行,存在文档-行为差异(阴影功能)
Skill Namesilicaclaw-owner-push
Duration55.4s
Enginepi
Use with caution
建议在 SKILL.md 的 Safety boundary 中明确声明:可通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量执行外部命令,这是正常的消息转发功能设计

Findings 4 items

Severity Finding Location
Medium
SKILL.md 安全边界声明不完整
SKILL.md 声明「will not execute arbitrary code from broadcasts」,但代码实现了通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量执行任意 shell 命令的能力。这是文档-行为差异(shadow capability)
It will not:
- execute arbitrary code from broadcasts or forwarded content
→ 修改安全边界声明,明确说明:可通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量执行配置的转发命令,这是正常的消息转发功能
 SKILL.md:79
Medium
未声明的 shell 执行能力
owner-push-forwarder.mjs 使用 spawn() 执行外部命令,send-to-owner-via-openclaw.mjs 使用 spawnSync() 执行 openclaw CLI,均未在 SKILL.md 声明
const child = spawn(OWNER_FORWARD_CMD, { shell: true, stdio: ['pipe', 'inherit', 'inherit'], env: process.env })
→ 在 SKILL.md 文档能力部分明确列出 shell 执行能力,说明这是配置驱动的消息转发功能
 scripts/owner-push-forwarder.mjs:165
Low
状态持久化未声明
代码将推送状态持久化到 ~/.openclaw/workspace/state/silicaclaw-owner-push.json,包括已推送消息 ID 和游标,但 SKILL.md 未提及此行为
writeFileSync(STATE_PATH, JSON.stringify(state, null, 2), 'utf8')
→ 在 SKILL.md 中说明状态持久化机制,确保用户了解数据存储位置
 scripts/owner-push-forwarder.mjs:62
Info
Shell 执行是可选的受控功能
shell 执行能力通过 OPENCLAW_OWNER_FORWARD_CMD 环境变量启用,不是默认行为,且命令执行受配置文件控制
if (!OWNER_FORWARD_CMD) { console.log(...); return Promise.resolve(); }
→ 保持当前设计,在文档中明确说明配置方式即可
 scripts/owner-push-forwarder.mjs:153
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned scripts/owner-push-forwarder.mjs:43 请求 localhost:4310,符合 SKILL.md 声明
Filesystem NONE WRITE ✗ Violation scripts/owner-push-forwarder.mjs:62-63 writeFileSync() 写入状态文件 ~/.openclaw/worksp…
Shell NONE WRITE ✗ Violation scripts/owner-push-forwarder.mjs:165 spawn() 执行 OPENCLAW_OWNER_FORWARD_CMD;scrip…

File Tree

8 files · 26.4 KB · 870 lines
JavaScript 2f · 425L Markdown 4f · 409L JSON 1f · 30L YAML 1f · 6L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 6L · 669 B
├─ 📁 references
│ ├─ 📝 owner-dialogue-cheatsheet-zh.md Markdown 87L · 2.1 KB
│ ├─ 📝 push-routing-policy.md Markdown 43L · 1.4 KB
│ └─ 📝 runtime-setup.md Markdown 44L · 1.4 KB
├─ 📁 scripts
│ ├─ 📜 owner-push-forwarder.mjs JavaScript 356L · 10.3 KB
│ └─ 📜 send-to-owner-via-openclaw.mjs JavaScript 69L · 1.6 KB
├─ 📋 manifest.json JSON 30L · 1.1 KB
└─ 📝 SKILL.md Markdown 235L · 8.0 KB

Security Positives

✓ 代码结构清晰,无明显的恶意行为指标(无 base64 编码、eval、隐藏脚本等)
✓ 网络请求仅访问声明的 localhost:4310 本地端点
✓ 消息过滤机制合理,支持 topic/keyword 过滤减少噪音
✓ 使用状态文件避免重复推送
✓ 无凭证收割、环境变量遍历或数据外泄行为
✓ manifest.json 声明的能力与实际代码功能一致