安全决策报告
MemOptimizer (记忆优化器)
The skill contains undeclared shell execution via child_process.exec() and undeclared filesystem WRITE operations, with access to sensitive system paths — all hidden from the documented SKILL.md.
最直接的威胁证据
高危 文档欺骗
Undeclared shell execution via child_process.exec() The getServerStatus() function (lines 178-196) executes 4 shell commands (top, free, df, uptime) via child_process.exec() to gather server metrics for the daily report. getAgentStatus() (lines 203-211) executes 'ls -1 ~/.openclaw/agents/'. None of this shell execution is declared anywhere in SKILL.md or tools.json.
index.js:178 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 3 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Undeclared shell execution +25
getServerStatus() runs top/free/df/uptime via child_process.exec(); getAgentStatus() runs ls on ~/.openclaw — none declared in SKILL.md
Undeclared filesystem WRITE +20
fs.writeFile modifies memory/*.md when dryRun=false; fs.appendFile writes to reflections.md and corrections.md — no WRITE permission declared
Sensitive path access +15
Hardcoded access to /root/.openclaw/agents/ and /root/.openclaw/workspace-{id}/ for multi-agent optimization, not declared in docs
最关键的证据
高危 文档欺骗
Undeclared shell execution via child_process.exec()
The getServerStatus() function (lines 178-196) executes 4 shell commands (top, free, df, uptime) via child_process.exec() to gather server metrics for the daily report. getAgentStatus() (lines 203-211) executes 'ls -1 ~/.openclaw/agents/'. None of this shell execution is declared anywhere in SKILL.md or tools.json.
index.js:178 Document shell:WRITE in SKILL.md metadata if system monitoring is intentional, or remove these exec() calls entirely.
高危 文档欺骗
Undeclared filesystem WRITE operations
The skill writes to memory/*.md files (line 337) when dryRun=false, and appends to self-improving/reflections.md and corrections.md (lines 119, 124). These filesystem WRITE operations are not declared in SKILL.md, tools.json, or metadata. While dryRun defaults to true (providing a safety guard), the capability exists and is hidden.
index.js:337 Declare filesystem:WRITE in the capability model metadata. Alternatively, move to a read-only stats-only tool.
高危 敏感访问
Hardcoded access to /root/.openclaw system directories
The scanAllAgentsWorkspaces() function (lines 216-272) hardcodes paths /root/.openclaw/agents and /root/.openclaw/workspace-{id}, iterating across all agents' workspaces to compress their memory files. This is a privileged escalation — the skill's stated purpose is 'scan memory/ directory in workspace', but it actually traverses the entire multi-agent system at /root level.
index.js:217 This is a major scope creep. Either declare this behavior prominently in SKILL.md or restrict to the current workspace only.
中危 文档欺骗
Multi-agent optimization mode not documented in SKILL.md
The mem_optimize tool has a hidden multiAgent mode that scans and compresses ALL agents' memory files across the entire system (via /root/.openclaw/agents/). This is triggered by '多智能体' keyword or '执行多智能体记忆优化流程', yet the SKILL.md only describes single-workspace optimization. The cron job 'mem_optimize_daily' triggers this wider scope automatically.
index.js:295 Document the multi-agent mode explicitly in SKILL.md with clear scope and consent requirements.
中危 权限提升
Aggressive default compression ratio of 40%
The default compressionRatio is 0.4 (40%), meaning 60% of content is discarded from files over 50 lines. While dryRun is true by default, the cron job (mem_optimize_daily) runs with dryRun=false, silently destroying memory content across ALL agents on a daily schedule.
index.js:312 Require explicit opt-in for automated destructive operations. The cron should run dryRun mode by default and notify rather than auto-commit.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
index.js:178-196 (getServerStatus uses exec() for top/free/df/uptime); index.js:203-211 (getAgentStatus uses exec() for ls) 文件系统 阻止
声明 READ (implicit)
→ 推断 WRITE
index.js:337 fs.writeFile(file.path, newContent) — modifies memory files when dryRun=false; index.js:119 fs.appendFile(reflectionsPath, ...) — appends reflections 环境变量 通过
声明 NONE
→ 推断 READ
index.js:89-109 loadSelfImprovingPreferences() reads files from self-improving/ directory within workspace 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| fs | builtin | Node.js stdlib | 否 | Uses Node.js built-in fs module (promises API) |
| child_process | builtin | Node.js stdlib | 否 | Uses exec() for shell commands — undocumented capability |
文件构成
3 个文件 · 1179 行
JavaScript 1 个文件 · 827 行Markdown 1 个文件 · 302 行JSON 1 个文件 · 50 行
需关注文件 · 1
index.js Undeclared shell execution via child_process.exec() · Undeclared filesystem WRITE operations · Hardcoded access to /root/.openclaw system directories · Multi-agent optimization mode not documented in SKILL.md · Aggressive default compression ratio of 40%
其他文件 · SKILL.md · tools.json
安全亮点
dryRun defaults to true, providing a safety guard against accidental file modification
Token estimation is performed locally with no network calls for core functionality
No credential harvesting or API key scanning observed
No base64 encoding, obfuscation, or anti-analysis techniques detected
No reverse shell, C2, or outbound data exfiltration to external IPs
Self-improving feedback loop is a legitimate, documented pattern