agora-sentinel 安全扫描报告 — 低风险 | ClawSafe

25 /100

agora-sentinel

Security check for OpenClaw skills. Scan any ClawHub skill for malware, prompt injection, data theft, wallet stealing, and dangerous permissions BEFORE installing.

Agora Sentinel is a legitimate-looking ClawHub security scanner that makes outbound HTTP requests to checksafe.dev API. Its behavior is benign — only sends skill slugs, receives trust scores, no credential theft or data exfiltration — but it under-declares its actual resource usage (shell, network, filesystem READ) in metadata.

技能名称agora-sentinel

分析耗时57.3s

引擎pi

✓

可以安装

Declare shell:WRITE, network:READ, filesystem:READ, and env:READ in SKILL.md metadata. No blocking action needed since no malicious behavior is present, but transparency about resource usage is required.

安全发现 3 项

严重性	安全发现	位置
低危	Metadata under-reports actual resource usage 文档欺骗 SKILL.md metadata declares requires.env:[] (no env access needed), but scripts/readily access OPENCLAW_SKILLS_DIR environment variable and filesystem paths. This is a minor doc-code mismatch. `requires: env: []` → Update metadata to declare env:READ (for OPENCLAW_SKILLS_DIR) and files:READ for the skills directory.	`SKILL.md:12`
低危	Outbound network requests not declared 文档欺骗 SKILL.md 'What This Skill Does NOT Do' section says 'Does not send any user data to Sentinel' but all three scripts make HTTP GET requests to checksafe.dev. While only skill slugs (non-sensitive) are sent, the network access itself is undeclared. `Does not send any user data to Sentinel — only queries by skill slug` → Add a declaration that the skill makes read-only API calls to checksafe.dev for trust score lookups. The outbound traffic is acceptable but must be documented.	`SKILL.md:90`
提示	Third-party API dependency on checksafe.dev 文档欺骗 All functionality depends on https://checksafe.dev being available and trustworthy. The domain's operational status is outside the skill's control. If checksafe.dev is compromised or taken over, the skill's results become unreliable. `API="https://checksafe.dev/api/v1"` → Consider adding a fallback or warning when the API is unreachable. No immediate risk, but a dependency risk worth noting.	`scripts/check_skill.sh:6`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/check_skill.sh:23 bash curl + python3 subprocess
网络访问	`NONE`	`READ`	✗ 越权	scripts/check_skill.sh:23 curl https://checksafe.dev/api/v1/...
文件系统	`NONE`	`READ`	✗ 越权	scripts/scan_installed.sh:29-32 reads skills directory
环境变量	`NONE`	`READ`	✗ 越权	scripts/scan_installed.sh:7 reads OPENCLAW_SKILLS_DIR
技能调用	`NONE`	`READ`	✗ 越权	scripts/scan_installed.sh:33 reads SKILL.md files

5 项发现

🔗

中危外部 URL 外部 URL

https://checksafe.dev/dashboard/

README.md:31

🔗

中危外部 URL 外部 URL

https://checksafe.dev/api/v1/skills/

README.md:49

🔗

中危外部 URL 外部 URL

https://checksafe.dev/api/v1/search?q=weather&min_tier=2

README.md:55

🔗

中危外部 URL 外部 URL

https://checksafe.dev

README.md:60

🔗

中危外部 URL 外部 URL

https://checksafe.dev/api/v1

scripts/check_batch.sh:6

目录结构

5 文件 · 13.0 KB · 381 行

Markdown 2f · 216L Shell 3f · 165L

├─ ▾ 📁 scripts

│ ├─ 🔧 check_batch.sh Shell 59L · 1.9 KB

│ ├─ 🔧 check_skill.sh Shell 63L · 2.1 KB

│ └─ 🔧 scan_installed.sh Shell 43L · 1.1 KB

├─ 📝 README.md Markdown 60L · 2.0 KB

└─ 📝 SKILL.md Markdown 156L · 5.9 KB

安全亮点

✓ No credential theft or sensitive data exfiltration — only skill slugs (user-supplied strings) are sent to external API

✓ No obfuscation, base64, or encoded payloads found in any script

✓ No file writes, no modifications to the filesystem or system

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, keychain, etc.)

✓ No reverse shell, RCE, or code execution beyond declared API-query workflow

✓ Python3 JSON parsing is used safely with no eval() or dynamic code execution

✓ Skill is purely read-only with respect to local system; no local data is sent externally

✓ No supply-chain issues — no external dependencies (requirements.txt, package.json, etc.)