openclaw-security-audit Security Report — Low Risk | ClawSafe

22 /100

openclaw-security-audit

OpenClaw 安全巡检工具，一键执行系统安全扫描并生成通俗易懂的报告

Security audit tool with transparent documentation of network behavior, persistent agent_id tracking, and full Skill inventory exfiltration — all disclosed in SKILL.md, but the persistent identifier and comprehensive skill list exposure warrant attention.

Skill Nameopenclaw-security-audit

Duration61.2s

Enginepi

✓

Safe to install

Users should understand that the --push mode creates a persistent ~/.openclaw/.agent-id for longitudinal tracking and sends the full installed Skill list to auth.ctct.cn. Use local-only mode for sensitive environments. Never add --push to cron jobs.

Findings 4 items

Severity	Finding	Location
Medium	Persistent agent_id enables long-term device tracking Sensitive Access generateAgentId() creates a UUID on first run and writes it to ~/.openclaw/.agent-id with mode 0o600. This ID persists indefinitely and is included in every --push request, enabling the operator to track the same device across sessions, skill reinstalls, and time — even after the user believes they've removed the telemetry component. `const id = crypto.randomUUID(); fs.writeFileSync(idPath, id, { mode: 0o600 });` → Use a session-scoped identifier instead of a persisted one. If persistence is required for baseline continuity, provide a clear uninstall/removal mechanism.	`scripts/openclaw-hybrid-audit-changeway.js:630`
Medium	Full Skill inventory sent to third-party server Data Exfil In --push mode, the complete list of installed Skills (slug, author, version, ownerId) is POSTed to auth.ctct.cn:10020/changeway-open/api/skills/assessment. This reveals the system's entire installed capability surface to an external operator-controlled endpoint, which could be used for targeted capability mapping. `skillMetaList.push({ slug, author, version, ownerId });` → Consider sending only assessment results (pass/fail/hit counts) rather than raw Skill metadata, or use an anonymized hash of the skill list.	`scripts/openclaw-hybrid-audit-changeway.js:1015`
Low	Process environment variable enumeration on Linux Sensitive Access The script reads /proc/<gwPid>/environ to enumerate environment variable names matching SECRET/TOKEN/PASSWORD/KEY patterns. While values are not captured, the enumeration of which sensitive variable names exist in the gateway process could assist in targeted credential theft if the process list is compromised. `const environData = fs.readFileSync(environPath, 'utf-8');` → This is a legitimate security auditing function but should be documented in SKILL.md under declared permissions.	`scripts/openclaw-hybrid-audit-changeway.js:248`
Low	Shell command usage not declared in SKILL.md Doc Mismatch SKILL.md describes the skill as using 'Node.js v18+ and openclaw CLI' but does not enumerate the 14+ system commands invoked via spawnSync (find, ps, lsof, ss, journalctl, etc.). These are legitimate for a security audit but should be explicitly declared. `运行依赖：必需：Node.js v18+、openclaw CLI` → Add a section listing all system commands used (find, ps, lsof, ss, journalctl, log, netstat, pgrep, diff, icacls, etc.) with their purpose.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	Creates ~/.openclaw/security-reports/, ~/.openclaw/skill-hashes/, ~/.openclaw/.a…
Network	`NONE`	`READ`	✓ Aligned	--push mode: POSTs to auth.ctct.cn:10020; explicitly documented with warning
Shell	`NONE`	`WRITE`	✓ Aligned	Uses spawnSync for 14+ commands (openclaw, find, pgrep, journalctl, ss, ps, lsof…
Environment	`NONE`	`READ`	✓ Aligned	Line 248: reads /proc/<pid>/environ to detect sensitive env var names; OPENCLAW_…
Skill Invoke	`NONE`	`READ`	✓ Aligned	Runs openclaw CLI (openclaw cron list, openclaw security audit --deep)
Browser	`NONE`	`NONE`	—	N/A
Clipboard	`NONE`	`NONE`	—	N/A
Database	`NONE`	`NONE`	—	N/A

3 findings

🔗

Medium External URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/pushAuditData

SKILL.md:18

🔗

Medium External URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/skills/assessment

SKILL.md:19

🔗

Medium External URL 外部 URL

https://auth.ctct.cn:10020

SKILL.md:263

File Tree

3 files · 69.1 KB · 1576 lines

JavaScript 1f · 1156L Markdown 2f · 420L

├─ ▾ 📁 references

│ └─ 📝 cron-setup.md Markdown 154L · 5.2 KB

├─ ▾ 📁 scripts

│ └─ 📜 openclaw-hybrid-audit-changeway.js JavaScript 1156L · 50.1 KB

└─ 📝 SKILL.md Markdown 266L · 13.9 KB

Security Positives

✓ Documentation is comprehensive and clearly warns against --push in cron jobs (explicit prohibition)

✓ No base64 encoding, eval(), or obfuscated execution patterns detected

✓ No credential value exfiltration — only env var names (not values) are scanned

✓ Data boundary is well-defined: detail fields are excluded from uploads, only brief summaries are sent

✓ Signature scheme uses SHA-256 without a shared secret (anti-replay only, not cryptographic authentication)

✓ spawnSync with explicit allowlist approach avoids shell injection vulnerabilities

✓ File write permissions set to 0o600 for sensitive files (agent-id, reports)

✓ Path traversal protections via buildSafeChildPath and buildSafeRelativePath

✓ Intentional design: local-only mode is the default, no network requests without explicit flag

Scan Report

Findings 4 items

File Tree

Security Positives