openclaw-security-audit 安全扫描报告 — 低风险 | ClawSafe

22 /100

openclaw-security-audit

OpenClaw 安全巡检工具，一键执行系统安全扫描并生成通俗易懂的报告

Security audit tool with transparent documentation of network behavior, persistent agent_id tracking, and full Skill inventory exfiltration — all disclosed in SKILL.md, but the persistent identifier and comprehensive skill list exposure warrant attention.

技能名称openclaw-security-audit

分析耗时61.2s

引擎pi

✓

可以安装

Users should understand that the --push mode creates a persistent ~/.openclaw/.agent-id for longitudinal tracking and sends the full installed Skill list to auth.ctct.cn. Use local-only mode for sensitive environments. Never add --push to cron jobs.

安全发现 4 项

严重性	安全发现	位置
中危	Persistent agent_id enables long-term device tracking 敏感访问 generateAgentId() creates a UUID on first run and writes it to ~/.openclaw/.agent-id with mode 0o600. This ID persists indefinitely and is included in every --push request, enabling the operator to track the same device across sessions, skill reinstalls, and time — even after the user believes they've removed the telemetry component. `const id = crypto.randomUUID(); fs.writeFileSync(idPath, id, { mode: 0o600 });` → Use a session-scoped identifier instead of a persisted one. If persistence is required for baseline continuity, provide a clear uninstall/removal mechanism.	`scripts/openclaw-hybrid-audit-changeway.js:630`
中危	Full Skill inventory sent to third-party server 数据外泄 In --push mode, the complete list of installed Skills (slug, author, version, ownerId) is POSTed to auth.ctct.cn:10020/changeway-open/api/skills/assessment. This reveals the system's entire installed capability surface to an external operator-controlled endpoint, which could be used for targeted capability mapping. `skillMetaList.push({ slug, author, version, ownerId });` → Consider sending only assessment results (pass/fail/hit counts) rather than raw Skill metadata, or use an anonymized hash of the skill list.	`scripts/openclaw-hybrid-audit-changeway.js:1015`
低危	Process environment variable enumeration on Linux 敏感访问 The script reads /proc/<gwPid>/environ to enumerate environment variable names matching SECRET/TOKEN/PASSWORD/KEY patterns. While values are not captured, the enumeration of which sensitive variable names exist in the gateway process could assist in targeted credential theft if the process list is compromised. `const environData = fs.readFileSync(environPath, 'utf-8');` → This is a legitimate security auditing function but should be documented in SKILL.md under declared permissions.	`scripts/openclaw-hybrid-audit-changeway.js:248`
低危	Shell command usage not declared in SKILL.md 文档欺骗 SKILL.md describes the skill as using 'Node.js v18+ and openclaw CLI' but does not enumerate the 14+ system commands invoked via spawnSync (find, ps, lsof, ss, journalctl, etc.). These are legitimate for a security audit but should be explicitly declared. `运行依赖：必需：Node.js v18+、openclaw CLI` → Add a section listing all system commands used (find, ps, lsof, ss, journalctl, log, netstat, pgrep, diff, icacls, etc.) with their purpose.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	Creates ~/.openclaw/security-reports/, ~/.openclaw/skill-hashes/, ~/.openclaw/.a…
网络访问	`NONE`	`READ`	✓ 一致	--push mode: POSTs to auth.ctct.cn:10020; explicitly documented with warning
命令执行	`NONE`	`WRITE`	✓ 一致	Uses spawnSync for 14+ commands (openclaw, find, pgrep, journalctl, ss, ps, lsof…
环境变量	`NONE`	`READ`	✓ 一致	Line 248: reads /proc/<pid>/environ to detect sensitive env var names; OPENCLAW_…
技能调用	`NONE`	`READ`	✓ 一致	Runs openclaw CLI (openclaw cron list, openclaw security audit --deep)
浏览器	`NONE`	`NONE`	—	N/A
剪贴板	`NONE`	`NONE`	—	N/A
数据库	`NONE`	`NONE`	—	N/A

3 项发现

🔗

中危外部 URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/pushAuditData

SKILL.md:18

🔗

中危外部 URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/skills/assessment

SKILL.md:19

🔗

中危外部 URL 外部 URL

https://auth.ctct.cn:10020

SKILL.md:263

目录结构

3 文件 · 69.1 KB · 1576 行

JavaScript 1f · 1156L Markdown 2f · 420L

├─ ▾ 📁 references

│ └─ 📝 cron-setup.md Markdown 154L · 5.2 KB

├─ ▾ 📁 scripts

│ └─ 📜 openclaw-hybrid-audit-changeway.js JavaScript 1156L · 50.1 KB

└─ 📝 SKILL.md Markdown 266L · 13.9 KB

安全亮点

✓ Documentation is comprehensive and clearly warns against --push in cron jobs (explicit prohibition)

✓ No base64 encoding, eval(), or obfuscated execution patterns detected

✓ No credential value exfiltration — only env var names (not values) are scanned

✓ Data boundary is well-defined: detail fields are excluded from uploads, only brief summaries are sent

✓ Signature scheme uses SHA-256 without a shared secret (anti-replay only, not cryptographic authentication)

✓ spawnSync with explicit allowlist approach avoids shell injection vulnerabilities

✓ File write permissions set to 0o600 for sensitive files (agent-id, reports)

✓ Path traversal protections via buildSafeChildPath and buildSafeRelativePath

✓ Intentional design: local-only mode is the default, no network requests without explicit flag