中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 60/100
上次扫描:1 天前 重新扫描
60 /100
MemOptimizer (记忆优化器)
记忆压缩与统计工具 — 整合 self-improving 机制,自动统计、压缩和优化记忆文件
The skill contains undeclared shell execution via child_process.exec() and undeclared filesystem WRITE operations, with access to sensitive system paths — all hidden from the documented SKILL.md.
技能名称MemOptimizer (记忆优化器)
分析耗时50.4s
引擎pi
谨慎使用
Remove or document all child_process.exec() calls. Declare filesystem:WRITE and shell:WRITE in SKILL.md if intended. Restrict access to /root/.openclaw paths and implement stricter input validation on compression parameters.

安全发现 5 项

严重性 安全发现 位置
高危
Undeclared shell execution via child_process.exec() 文档欺骗
The getServerStatus() function (lines 178-196) executes 4 shell commands (top, free, df, uptime) via child_process.exec() to gather server metrics for the daily report. getAgentStatus() (lines 203-211) executes 'ls -1 ~/.openclaw/agents/'. None of this shell execution is declared anywhere in SKILL.md or tools.json.
exec(commands[key], (err, stdout, stderr) => { ... });
→ Document shell:WRITE in SKILL.md metadata if system monitoring is intentional, or remove these exec() calls entirely.
 index.js:178
高危
Undeclared filesystem WRITE operations 文档欺骗
The skill writes to memory/*.md files (line 337) when dryRun=false, and appends to self-improving/reflections.md and corrections.md (lines 119, 124). These filesystem WRITE operations are not declared in SKILL.md, tools.json, or metadata. While dryRun defaults to true (providing a safety guard), the capability exists and is hidden.
await fs.writeFile(file.path, newContent, 'utf-8');
→ Declare filesystem:WRITE in the capability model metadata. Alternatively, move to a read-only stats-only tool.
 index.js:337
高危
Hardcoded access to /root/.openclaw system directories 敏感访问
The scanAllAgentsWorkspaces() function (lines 216-272) hardcodes paths /root/.openclaw/agents and /root/.openclaw/workspace-{id}, iterating across all agents' workspaces to compress their memory files. This is a privileged escalation — the skill's stated purpose is 'scan memory/ directory in workspace', but it actually traverses the entire multi-agent system at /root level.
const agentsDir = '/root/.openclaw/agents';
→ This is a major scope creep. Either declare this behavior prominently in SKILL.md or restrict to the current workspace only.
 index.js:217
中危
Multi-agent optimization mode not documented in SKILL.md 文档欺骗
The mem_optimize tool has a hidden multiAgent mode that scans and compresses ALL agents' memory files across the entire system (via /root/.openclaw/agents/). This is triggered by '多智能体' keyword or '执行多智能体记忆优化流程', yet the SKILL.md only describes single-workspace optimization. The cron job 'mem_optimize_daily' triggers this wider scope automatically.
if (multiAgent) { result = await optimizeAllAgentsMemory(...) }
→ Document the multi-agent mode explicitly in SKILL.md with clear scope and consent requirements.
 index.js:295
中危
Aggressive default compression ratio of 40% 权限提升
The default compressionRatio is 0.4 (40%), meaning 60% of content is discarded from files over 50 lines. While dryRun is true by default, the cron job (mem_optimize_daily) runs with dryRun=false, silently destroying memory content across ALL agents on a daily schedule.
const optimizeResult = await optimizeAllAgentsMemory(false, true, 0.4);
→ Require explicit opt-in for automated destructive operations. The cron should run dryRun mode by default and notify rather than auto-commit.
 index.js:312
资源类型声明权限推断权限状态证据
命令执行 NONE WRITE ✗ 越权 index.js:178-196 (getServerStatus uses exec() for top/free/df/uptime); index.js:…
文件系统 READ (implicit) WRITE ✗ 越权 index.js:337 fs.writeFile(file.path, newContent) — modifies memory files when dr…
环境变量 NONE READ ✓ 一致 index.js:89-109 loadSelfImprovingPreferences() reads files from self-improving/ …

目录结构

3 文件 · 34.0 KB · 1179 行
JavaScript 1f · 827L Markdown 1f · 302L JSON 1f · 50L
├─ 📜 index.js JavaScript 827L · 25.0 KB
├─ 📝 SKILL.md Markdown 302L · 7.6 KB
└─ 📋 tools.json JSON 50L · 1.4 KB

依赖分析 2 项

包名版本来源已知漏洞备注
fs builtin Node.js stdlib Uses Node.js built-in fs module (promises API)
child_process builtin Node.js stdlib Uses exec() for shell commands — undocumented capability

安全亮点

✓ dryRun defaults to true, providing a safety guard against accidental file modification
✓ Token estimation is performed locally with no network calls for core functionality
✓ No credential harvesting or API key scanning observed
✓ No base64 encoding, obfuscation, or anti-analysis techniques detected
✓ No reverse shell, C2, or outbound data exfiltration to external IPs
✓ Self-improving feedback loop is a legitimate, documented pattern