安全决策报告
harbor-openclaw
SKILL.md is pure documentation for a Go binary with no executable code, but the description contains undeclared network behavior at first load (account provisioning) that contradicts the stated 'no telemetry' and 'cloud sync is opt-in' promises.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared network behavior at first load +15
Plugin 'creates a cloud account on first load' — this is an undeclared network call to harbor-cloud.oseaitic.com that contradicts the 'fully local by default' and 'no telemetry' claims.
Doc-to-code gap — no binary to audit +10
SKILL.md is documentation only; there is no code, scripts, or binary to verify the stated zero-knowledge encryption and no-exfiltration claims.
Undeclared credential proxy functionality +5
The tool acts as a credential proxy (exfiltrates credentials in headers to arbitrary URLs via harbor_http). While documented, the risk to arbitrary HTTP calls to any domain is understated.
External domains with no AV indicators +5
harbor-cloud.oseaitic.com is not a major CDN; no DNSSEC/TLS details provided. The hosting claim (Fly.io Singapore, Neon Postgres) is unverifiable from docs alone.
最关键的证据
中危 文档欺骗
Undeclared network behavior on first load
The documentation claims 'cloud sync is opt-in' and 'fully local, no network calls by default', but the OpenClaw plugin section states it 'creates a cloud account on first load'. This is an undeclared outbound network request to harbor-cloud.oseaitic.com that occurs without explicit user consent.
SKILL.md:207 Distinguish clearly between 'account provisioning' and 'data sync'. Account provisioning is still a network call and should be opt-in. Change to: 'On first load, you may optionally create a cloud account for cross-device credential sync. No data is transmitted until you explicitly enable cloud sync.'
中危 文档欺骗
No-telemetry claim contradicted by first-load network activity
The SKILL.md explicitly states 'No telemetry, no analytics, no tracking' and 'Default: fully local'. However, the plugin creates a cloud account automatically, which involves at least one network request to harbor-cloud.oseaitic.com. Even if no user data is transmitted, device fingerprinting (documented as hashed) is still transmitted.
SKILL.md:21 Update the 'no telemetry' claim to acknowledge the first-load account provisioning call, or restructure the system to require explicit opt-in before any network activity.
中危 文档欺骗
No code/binary available for verification
This SKILL.md is pure documentation describing a Go binary. There are no scripts, no source code, and no compiled binary to audit. All security claims (AES-256-GCM encryption, zero-knowledge, no data exfiltration) are unverifiable from the artifact alone.
SKILL.md:1 Treat this skill as medium-risk by default since security properties cannot be independently verified. Request binary/source code review before trusting credential isolation claims in adversarial environments.
低危 敏感访问
Unverifiable keychain fallback behavior
SKILL.md describes 'OS keychain preferred, file-based keychain as fallback'. The file-based fallback stores encrypted credentials on disk. Without binary access, it cannot be verified whether the key derivation material (PBKDF2 salt, derived key) is stored securely.
SKILL.md:13 Ensure the file-based fallback uses OS-level file permissions (chmod 600) and that the encryption key is derived from a user-provided passphrase, not stored alongside the encrypted data.
低危 供应链
Unversioned dependency reference
SKILL.md instructs installing via `github.com/oseaitic/harbor@latest`. Using @latest means different installations receive different code over time, with no reproducible audit trail.
SKILL.md:47 Pin to a specific version tag: `go install github.com/oseaitic/harbor/cmd/[email protected]`. Recommend users verify the git tag signature.
低危 凭证窃取
harbor_http permits credential forwarding to arbitrary domains
The `harbor_http` tool (auth-proxy HTTP) allows the agent to make HTTP requests to any URL using credentials stored in Harbor's keychain. While credentials are not exposed raw to the agent, the agent can indirectly exfiltrate data by routing it through Harbor to arbitrary endpoints.
SKILL.md:75 Document a domain whitelist for credential usage. Ensure harbor_http logs all outbound requests for auditability.
声明能力 vs 实际能力
文件系统 通过
声明 READ/WRITE
→ 推断 UNKNOWN
SKILL.md states 'filesystem: ~/.harbor/' but no binary/code exists to verify actual filesystem access scope. 网络访问 阻止
声明 opt-in cloud sync
→ 推断 opt-out (undeclared)
SKILL.md line ~207: 'Creates a cloud account on first load' — undocumented network call happens before user enables cloud sync. 命令执行 通过
声明 CLI tool invocation via execSync
→ 推断 EXEC
SKILL.md lines 256, 274, 291: execSync used to invoke harbor CLI — documented as build tool pattern. 环境变量 通过
声明 NONE
→ 推断 NONE
SKILL.md explicitly recommends NOT using env vars for credentials, implying no env var access. 技能调用 通过
声明 NONE
→ 推断 NONE
No skill invocation declared. 剪贴板 通过
声明 NONE
→ 推断 UNKNOWN
No binary to verify if Harbor reads clipboard during 'harbor auth' credential entry. 浏览器 通过
声明 NONE
→ 推断 NONE
No browser access declared. 数据库 通过
声明 NONE
→ 推断 NONE
SKILL.md mentions Neon Postgres for Harbor Cloud but that's server-side, not agent-side access. 可疑产物与外联
中危 外部 URL
https://harbor.oseaitic.com SKILL.md:23
中危 外部 URL
https://api.tavily.com/search SKILL.md:258
中危 外部 URL
https://api.stripe.com/v1/balance SKILL.md:295
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 335 行
Markdown 1 个文件 · 335 行
需关注文件 · 1
SKILL.md Undeclared network behavior on first load · No-telemetry claim contradicted by first-load network activity · No code/binary available for verification · Unverifiable keychain fallback behavior · Unversioned dependency reference · harbor_http permits credential forwarding to arbitrary domains · https://harbor.oseaitic.com · https://api.tavily.com/search · https://api.stripe.com/v1/balance
安全亮点
SKILL.md is well-structured with clear security documentation sections
No base64-encoded payloads, eval chains, or obfuscation detected
No direct credential harvesting from environment variables described
No curl|bash or wget|sh remote script execution patterns
Zero-knowledge encryption claims (AES-256-GCM) are cryptographically sound in design
CLI tool pattern using execSync is documented and has legitimate use case
No hardcoded secrets, API keys, or sensitive data in the documentation
Cloud sync architecture separates summary text from encrypted credential blobs
Revocation mechanisms are clearly documented