中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 35/100
上次扫描:18 小时前 重新扫描
35 /100
harbor-openclaw
Persistent cross-session memory, credential isolation, and schema learning for OpenClaw agent
SKILL.md is pure documentation for a Go binary with no executable code, but the description contains undeclared network behavior at first load (account provisioning) that contradicts the stated 'no telemetry' and 'cloud sync is opt-in' promises.
技能名称harbor-openclaw
分析耗时63.7s
引擎pi
谨慎使用
Before using this skill, verify the actual binary behavior: does it make any network requests before the user explicitly enables cloud sync? Request source code audit of the harbor binary. The cloud account auto-provisioning on first load should be clearly documented as opt-out (not opt-in).

安全发现 6 项

严重性 安全发现 位置
中危
Undeclared network behavior on first load 文档欺骗
The documentation claims 'cloud sync is opt-in' and 'fully local, no network calls by default', but the OpenClaw plugin section states it 'creates a cloud account on first load'. This is an undeclared outbound network request to harbor-cloud.oseaitic.com that occurs without explicit user consent.
Creates a cloud account on first load (enables credential setup page). **No data is synced until you call `harbor remember`**.
→ Distinguish clearly between 'account provisioning' and 'data sync'. Account provisioning is still a network call and should be opt-in. Change to: 'On first load, you may optionally create a cloud account for cross-device credential sync. No data is transmitted until you explicitly enable cloud sync.'
 SKILL.md:207
中危
No-telemetry claim contradicted by first-load network activity 文档欺骗
The SKILL.md explicitly states 'No telemetry, no analytics, no tracking' and 'Default: fully local'. However, the plugin creates a cloud account automatically, which involves at least one network request to harbor-cloud.oseaitic.com. Even if no user data is transmitted, device fingerprinting (documented as hashed) is still transmitted.
harbor-cloud.oseaitic.com/api/auth/* | Auth | Device fingerprint (hash), setup tokens
→ Update the 'no telemetry' claim to acknowledge the first-load account provisioning call, or restructure the system to require explicit opt-in before any network activity.
 SKILL.md:21
中危
No code/binary available for verification 文档欺骗
This SKILL.md is pure documentation describing a Go binary. There are no scripts, no source code, and no compiled binary to audit. All security claims (AES-256-GCM encryption, zero-knowledge, no data exfiltration) are unverifiable from the artifact alone.
go install github.com/oseaitic/harbor/cmd/harbor@latest
→ Treat this skill as medium-risk by default since security properties cannot be independently verified. Request binary/source code review before trusting credential isolation claims in adversarial environments.
 SKILL.md:1
低危
Unverifiable keychain fallback behavior 敏感访问
SKILL.md describes 'OS keychain preferred, file-based keychain as fallback'. The file-based fallback stores encrypted credentials on disk. Without binary access, it cannot be verified whether the key derivation material (PBKDF2 salt, derived key) is stored securely.
OS keychain preferred, file-based keychain as fallback
→ Ensure the file-based fallback uses OS-level file permissions (chmod 600) and that the encryption key is derived from a user-provided passphrase, not stored alongside the encrypted data.
 SKILL.md:13
低危
Unversioned dependency reference 供应链
SKILL.md instructs installing via `github.com/oseaitic/harbor@latest`. Using @latest means different installations receive different code over time, with no reproducible audit trail.
go install github.com/oseaitic/harbor/cmd/harbor@latest
→ Pin to a specific version tag: `go install github.com/oseaitic/harbor/cmd/[email protected]`. Recommend users verify the git tag signature.
 SKILL.md:47
低危
harbor_http permits credential forwarding to arbitrary domains 凭证窃取
The `harbor_http` tool (auth-proxy HTTP) allows the agent to make HTTP requests to any URL using credentials stored in Harbor's keychain. While credentials are not exposed raw to the agent, the agent can indirectly exfiltrate data by routing it through Harbor to arbitrary endpoints.
harbor_http — Auth-proxy HTTP — call any API without exposing credentials
→ Document a domain whitelist for credential usage. Ensure harbor_http logs all outbound requests for auditability.
 SKILL.md:75
资源类型声明权限推断权限状态证据
文件系统 READ/WRITE UNKNOWN ✓ 一致 SKILL.md states 'filesystem: ~/.harbor/' but no binary/code exists to verify act…
网络访问 opt-in cloud sync opt-out (undeclared) ✗ 越权 SKILL.md line ~207: 'Creates a cloud account on first load' — undocumented netwo…
命令执行 CLI tool invocation via execSync EXEC ✓ 一致 SKILL.md lines 256, 274, 291: execSync used to invoke harbor CLI — documented as…
环境变量 NONE NONE SKILL.md explicitly recommends NOT using env vars for credentials, implying no e…
技能调用 NONE NONE No skill invocation declared.
剪贴板 NONE UNKNOWN ✓ 一致 No binary to verify if Harbor reads clipboard during 'harbor auth' credential en…
浏览器 NONE NONE No browser access declared.
数据库 NONE NONE SKILL.md mentions Neon Postgres for Harbor Cloud but that's server-side, not age…
3 项发现
🔗
中危 外部 URL 外部 URL
https://harbor.oseaitic.com
SKILL.md:23
🔗
中危 外部 URL 外部 URL
https://api.tavily.com/search
SKILL.md:258
🔗
中危 外部 URL 外部 URL
https://api.stripe.com/v1/balance
SKILL.md:295

目录结构

1 文件 · 12.5 KB · 335 行
Markdown 1f · 335L
└─ 📝 SKILL.md Markdown 335L · 12.5 KB

安全亮点

✓ SKILL.md is well-structured with clear security documentation sections
✓ No base64-encoded payloads, eval chains, or obfuscation detected
✓ No direct credential harvesting from environment variables described
✓ No curl|bash or wget|sh remote script execution patterns
✓ Zero-knowledge encryption claims (AES-256-GCM) are cryptographically sound in design
✓ CLI tool pattern using execSync is documented and has legitimate use case
✓ No hardcoded secrets, API keys, or sensitive data in the documentation
✓ Cloud sync architecture separates summary text from encrypted credential blobs
✓ Revocation mechanisms are clearly documented