oskill-proxy 安全扫描报告 — 低风险 | ClawSafe

20 /100

oskill-proxy

Android组件调用代理。通过本地HTTP API在Android设备上启动Activity、启动Service、发送Broadcast、操作ContentProvider。

Documentation-only skill describing an Android component proxy service with a hardcoded token in config, but no executable code and localhost-only network access.

技能名称oskill-proxy

分析耗时31.6s

引擎pi

✓

可以安装

Consider removing the hardcoded token from the config frontmatter and using environment variable substitution instead. Otherwise safe for use.

安全发现 2 项

严重性	安全发现	位置
低危	Hardcoded authentication token in documentation 凭证窃取 The SKILL.md config frontmatter contains a hardcoded API token '43b618ce5f3a46c78fbde7e6eb6bcac3'. While this only grants localhost access, exposing credentials in documentation is a poor security practice. `token: "43b618ce5f3a46c78fbde7e6eb6bcac3"` → Remove the hardcoded token from config. Document that users should configure their own token from the OSkillProxy App settings.	`SKILL.md:3`
提示	No allowed-tools declaration found 文档欺骗 The skill does not declare allowed-tools mapping in its frontmatter. This makes it unclear what tools the skill is permitted to use. `Config section missing 'allowed-tools' field` → Add an allowed-tools declaration to clarify permitted operations, even though this is a documentation-only skill.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md describes HTTP POST API calls but does not explicitly declare network:R…
文件系统	`NONE`	`NONE`	—	No file operations described
命令执行	`NONE`	`NONE`	—	No shell execution described
环境变量	`NONE`	`NONE`	—	No environment variable access described

6 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8726

SKILL.md:9

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8726/api/v1/component/

SKILL.md:60

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8726/api/v1/component/activity/start

SKILL.md:280

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8726/api/v1/component/provider/query

SKILL.md:309

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8726/api/v1/component/broadcast/send

SKILL.md:324

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8726/api/v1/status

SKILL.md:339

目录结构

1 文件 · 9.1 KB · 390 行

Markdown 1f · 390L

└─ 📝 SKILL.md Markdown 390L · 9.1 KB

安全亮点

✓ No executable code present - purely documentation

✓ Network access restricted to localhost (127.0.0.1) only

✓ No shell execution capabilities declared or inferred

✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env access)

✓ No base64-encoded payloads or obfuscated code

✓ No suspicious download patterns (curl|bash, wget|sh)

✓ No credential harvesting from environment variables