中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 35/100
Last scan:18 hr ago Rescan
35 /100
harbor-openclaw
Persistent cross-session memory, credential isolation, and schema learning for OpenClaw agent
SKILL.md is pure documentation for a Go binary with no executable code, but the description contains undeclared network behavior at first load (account provisioning) that contradicts the stated 'no telemetry' and 'cloud sync is opt-in' promises.
Skill Nameharbor-openclaw
Duration63.7s
Enginepi
Use with caution
Before using this skill, verify the actual binary behavior: does it make any network requests before the user explicitly enables cloud sync? Request source code audit of the harbor binary. The cloud account auto-provisioning on first load should be clearly documented as opt-out (not opt-in).

Findings 6 items

Severity Finding Location
Medium
Undeclared network behavior on first load Doc Mismatch
The documentation claims 'cloud sync is opt-in' and 'fully local, no network calls by default', but the OpenClaw plugin section states it 'creates a cloud account on first load'. This is an undeclared outbound network request to harbor-cloud.oseaitic.com that occurs without explicit user consent.
Creates a cloud account on first load (enables credential setup page). **No data is synced until you call `harbor remember`**.
→ Distinguish clearly between 'account provisioning' and 'data sync'. Account provisioning is still a network call and should be opt-in. Change to: 'On first load, you may optionally create a cloud account for cross-device credential sync. No data is transmitted until you explicitly enable cloud sync.'
 SKILL.md:207
Medium
No-telemetry claim contradicted by first-load network activity Doc Mismatch
The SKILL.md explicitly states 'No telemetry, no analytics, no tracking' and 'Default: fully local'. However, the plugin creates a cloud account automatically, which involves at least one network request to harbor-cloud.oseaitic.com. Even if no user data is transmitted, device fingerprinting (documented as hashed) is still transmitted.
harbor-cloud.oseaitic.com/api/auth/* | Auth | Device fingerprint (hash), setup tokens
→ Update the 'no telemetry' claim to acknowledge the first-load account provisioning call, or restructure the system to require explicit opt-in before any network activity.
 SKILL.md:21
Medium
No code/binary available for verification Doc Mismatch
This SKILL.md is pure documentation describing a Go binary. There are no scripts, no source code, and no compiled binary to audit. All security claims (AES-256-GCM encryption, zero-knowledge, no data exfiltration) are unverifiable from the artifact alone.
go install github.com/oseaitic/harbor/cmd/harbor@latest
→ Treat this skill as medium-risk by default since security properties cannot be independently verified. Request binary/source code review before trusting credential isolation claims in adversarial environments.
 SKILL.md:1
Low
Unverifiable keychain fallback behavior Sensitive Access
SKILL.md describes 'OS keychain preferred, file-based keychain as fallback'. The file-based fallback stores encrypted credentials on disk. Without binary access, it cannot be verified whether the key derivation material (PBKDF2 salt, derived key) is stored securely.
OS keychain preferred, file-based keychain as fallback
→ Ensure the file-based fallback uses OS-level file permissions (chmod 600) and that the encryption key is derived from a user-provided passphrase, not stored alongside the encrypted data.
 SKILL.md:13
Low
Unversioned dependency reference Supply Chain
SKILL.md instructs installing via `github.com/oseaitic/harbor@latest`. Using @latest means different installations receive different code over time, with no reproducible audit trail.
go install github.com/oseaitic/harbor/cmd/harbor@latest
→ Pin to a specific version tag: `go install github.com/oseaitic/harbor/cmd/[email protected]`. Recommend users verify the git tag signature.
 SKILL.md:47
Low
harbor_http permits credential forwarding to arbitrary domains Credential Theft
The `harbor_http` tool (auth-proxy HTTP) allows the agent to make HTTP requests to any URL using credentials stored in Harbor's keychain. While credentials are not exposed raw to the agent, the agent can indirectly exfiltrate data by routing it through Harbor to arbitrary endpoints.
harbor_http — Auth-proxy HTTP — call any API without exposing credentials
→ Document a domain whitelist for credential usage. Ensure harbor_http logs all outbound requests for auditability.
 SKILL.md:75
ResourceDeclaredInferredStatusEvidence
Filesystem READ/WRITE UNKNOWN ✓ Aligned SKILL.md states 'filesystem: ~/.harbor/' but no binary/code exists to verify act…
Network opt-in cloud sync opt-out (undeclared) ✗ Violation SKILL.md line ~207: 'Creates a cloud account on first load' — undocumented netwo…
Shell CLI tool invocation via execSync EXEC ✓ Aligned SKILL.md lines 256, 274, 291: execSync used to invoke harbor CLI — documented as…
Environment NONE NONE SKILL.md explicitly recommends NOT using env vars for credentials, implying no e…
Skill Invoke NONE NONE No skill invocation declared.
Clipboard NONE UNKNOWN ✓ Aligned No binary to verify if Harbor reads clipboard during 'harbor auth' credential en…
Browser NONE NONE No browser access declared.
Database NONE NONE SKILL.md mentions Neon Postgres for Harbor Cloud but that's server-side, not age…
3 findings
🔗
Medium External URL 外部 URL
https://harbor.oseaitic.com
SKILL.md:23
🔗
Medium External URL 外部 URL
https://api.tavily.com/search
SKILL.md:258
🔗
Medium External URL 外部 URL
https://api.stripe.com/v1/balance
SKILL.md:295

File Tree

1 files · 12.5 KB · 335 lines
Markdown 1f · 335L
└─ 📝 SKILL.md Markdown 335L · 12.5 KB

Security Positives

✓ SKILL.md is well-structured with clear security documentation sections
✓ No base64-encoded payloads, eval chains, or obfuscation detected
✓ No direct credential harvesting from environment variables described
✓ No curl|bash or wget|sh remote script execution patterns
✓ Zero-knowledge encryption claims (AES-256-GCM) are cryptographically sound in design
✓ CLI tool pattern using execSync is documented and has legitimate use case
✓ No hardcoded secrets, API keys, or sensitive data in the documentation
✓ Cloud sync architecture separates summary text from encrypted credential blobs
✓ Revocation mechanisms are clearly documented