catchclaw Security Report — Low Risk | ClawSafe

15 /100

catchclaw

Search, install, and export agentars and teams from the CatchClaw marketplace

A legitimate agentar/team package manager with well-documented behavior, no malicious code, and appropriate security controls including path traversal protection, sensitive file filtering, and read-only network access.

Skill Namecatchclaw

Duration50.4s

Enginepi

✓

Safe to install

No action needed. The skill is safe for use. Optionally document the subprocess invocation in SKILL.md for transparency.

Findings 4 items

Severity	Finding	Location
Low	Subprocess invocation not documented in SKILL.md The CLI uses spawnSync to invoke the 'openclaw' binary (agent creation, metadata enrichment). This is not declared in SKILL.md's metadata. The subprocess uses shell:false with array args, making command injection impossible. This is standard CLI behavior. const { spawnSync } = _require(`node:${_cp}`) → Add to SKILL.md metadata under 'bins': 'openclaw' (optional), and note that the CLI invokes openclaw for agent creation and metadata enrichment.	`agentar_cli.mjs:180`
Low	Trusted path list is a defense-in-depth measure — not in docs The CLI restricts openclaw binary lookup to known-safe directories (TRUSTED_PATH_PREFIXES). This is good security hygiene but not declared in documentation. `const TRUSTED_PATH_PREFIXES = ...` → No action needed — this is an internal hardening measure.	`agentar_cli.mjs:133`
Info	Configurable API base URL The default API endpoint is hardcoded (https://catchclaw.me) but can be overridden via --api-base-url flag or AGENTAR_API_BASE_URL env var. This is documented in SKILL.md. `AGENTAR_API_BASE_URL — Override the default API base URL` → No action needed — this is documented and normal for CLI tools.	`SKILL.md:47`
Info	Sensitive file filtering on export The CLI filters .credentials, .env, .secret, .key, .pem files during export and skips them from ZIP packages. This is correctly documented in SKILL.md. `const SENSITIVE_PATTERNS = [".credentials", ".env", ".secret", ".key", ".pem"];` → No action needed — this is a positive security feature.	`agentar_cli.mjs:80`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md lines 52-58 + agentar_cli.mjs:reads/writes ~/.agentar/, ~/.openclaw/, ~…
Network	`READ`	`READ`	✓ Aligned	SKILL.md line 6 + agentar_cli.mjs:httpGetJson/httpDownload — GET-only, no POST/u…
Shell	`NONE`	`WRITE (subprocess)`	✓ Aligned	agentar_cli.mjs:findOpenclawBin+spawnOpenclawSync spawn openclaw binary (shell:f…
Environment	`READ`	`READ`	✓ Aligned	SKILL.md lines 47-51 + agentar_cli.mjs:AGENTAR_HOME, AGENTAR_API_BASE_URL
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser access found
Database	`NONE`	`NONE`	—	No database access found
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found

2 findings

🔗

Medium External URL 外部 URL

https://catchclaw.me

SKILL.md:69

🔗

Medium External URL 外部 URL

https://nodejs.org/

SKILL.md:273

File Tree

2 files · 101.4 KB · 2721 lines

JavaScript 1f · 2437L Markdown 1f · 284L

├─ 📜 agentar_cli.mjs JavaScript 2437L · 88.2 KB

└─ 📝 SKILL.md Markdown 284L · 13.2 KB

Dependencies 7 items

Package	Version	Source	Known Vulns	Notes
`node:fs`	`built-in`	Node.js	No	Built-in module only
`node:http`	`built-in`	Node.js	No	Built-in module only
`node:https`	`built-in`	Node.js	No	Built-in module only
`node:os`	`built-in`	Node.js	No	Built-in module only
`node:path`	`built-in`	Node.js	No	Built-in module only
`node:readline`	`built-in`	Node.js	No	Built-in module only
`node:zlib`	`built-in`	Node.js	No	Built-in module only

Security Positives

✓ No third-party dependencies — uses only Node.js built-in modules (fs, http, https, os, path, zlib, readline)

✓ Network operations are strictly read-only GET requests — no POST, no data exfiltration

✓ Path traversal protection: ZIP entries with '..' or absolute paths are rejected

✓ Symlink rejection in ZIP extraction

✓ Decompression bomb protection: 500 MB decompressed size limit, 10000 entry limit

✓ Sensitive files (.credentials, .env, .secret, .key, .pem) are filtered during export

✓ TRUSTED_PATH_PREFIXES restricts binary lookup to known-safe directories, mitigating PATH hijacking

✓ openclaw subprocess uses shell:false with array args — no command injection possible

✓ API key stored in skills/.credentials with .gitignore entry — local-only, not transmitted

✓ Automatic workspace backup before overwrite/rollback

✓ Version conflict detection with user confirmation prompts

Scan Report

Findings 4 items

File Tree

Dependencies 7 items

Security Positives