oskill-proxy Security Report — Low Risk | ClawSafe

20 /100

oskill-proxy

Android组件调用代理。通过本地HTTP API在Android设备上启动Activity、启动Service、发送Broadcast、操作ContentProvider。

Documentation-only skill describing an Android component proxy service with a hardcoded token in config, but no executable code and localhost-only network access.

Skill Nameoskill-proxy

Duration31.6s

Enginepi

✓

Safe to install

Consider removing the hardcoded token from the config frontmatter and using environment variable substitution instead. Otherwise safe for use.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded authentication token in documentation Credential Theft The SKILL.md config frontmatter contains a hardcoded API token '43b618ce5f3a46c78fbde7e6eb6bcac3'. While this only grants localhost access, exposing credentials in documentation is a poor security practice. `token: "43b618ce5f3a46c78fbde7e6eb6bcac3"` → Remove the hardcoded token from config. Document that users should configure their own token from the OSkillProxy App settings.	`SKILL.md:3`
Info	No allowed-tools declaration found Doc Mismatch The skill does not declare allowed-tools mapping in its frontmatter. This makes it unclear what tools the skill is permitted to use. `Config section missing 'allowed-tools' field` → Add an allowed-tools declaration to clarify permitted operations, even though this is a documentation-only skill.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	SKILL.md describes HTTP POST API calls but does not explicitly declare network:R…
Filesystem	`NONE`	`NONE`	—	No file operations described
Shell	`NONE`	`NONE`	—	No shell execution described
Environment	`NONE`	`NONE`	—	No environment variable access described

6 findings

🔗

Medium External URL 外部 URL

http://127.0.0.1:8726

SKILL.md:9

🔗

Medium External URL 外部 URL

http://127.0.0.1:8726/api/v1/component/

SKILL.md:60

🔗

Medium External URL 外部 URL

http://127.0.0.1:8726/api/v1/component/activity/start

SKILL.md:280

🔗

Medium External URL 外部 URL

http://127.0.0.1:8726/api/v1/component/provider/query

SKILL.md:309

🔗

Medium External URL 外部 URL

http://127.0.0.1:8726/api/v1/component/broadcast/send

SKILL.md:324

🔗

Medium External URL 外部 URL

http://127.0.0.1:8726/api/v1/status

SKILL.md:339

File Tree

1 files · 9.1 KB · 390 lines

Markdown 1f · 390L

└─ 📝 SKILL.md Markdown 390L · 9.1 KB

Security Positives

✓ No executable code present - purely documentation

✓ Network access restricted to localhost (127.0.0.1) only

✓ No shell execution capabilities declared or inferred

✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env access)

✓ No base64-encoded payloads or obfuscated code

✓ No suspicious download patterns (curl|bash, wget|sh)

✓ No credential harvesting from environment variables

Scan Report

Findings 2 items

File Tree

Security Positives