cmdb-query Security Report — Low Risk | ClawSafe

20 /100

cmdb-query

查询 CMDB 资产数据，支持按主机、应用、数据库等资源类型查询

A legitimate internal CMDB query tool with hardcoded credentials in source and documentation, and disabled SSL verification — concerning but aligned with documented purpose.

Skill Namecmdb-query

Duration38.4s

Enginepi

✓

Safe to install

Replace hardcoded credentials with environment variables or a secrets manager, and remove verify=False unless the internal CA is trusted.

Findings 3 items

Severity	Finding	Location
Medium	Hardcoded plaintext credentials in source code Credential Theft lib/query.py embeds username='openclaw_read' and password='JzXCxTaDxE' as string literals. These are service account credentials that should never be stored in source code. `USERNAME = "openclaw_read" PASSWORD = "JzXCxTaDxE"` → Move credentials to environment variables (e.g. os.environ['CMDB_USERNAME']) or a secrets manager. Use a .env file excluded from version control.	`lib/query.py:14`
Low	Credentials publicly listed in SKILL.md Doc Mismatch SKILL.md explicitly lists the service account username and password in the documentation. This is a credential-exposure risk if the repo is public or leaked. `用户名: openclaw_read 密码: JzXCxTaDxE` → Remove credentials from documentation. Reference environment variables or a config file instead.	`SKILL.md:16`
Low	SSL certificate verification disabled Sensitive Access requests.post calls use verify=False, disabling TLS certificate validation. This exposes API communication to man-in-the-middle attacks. `verify=False # 跳过证书验证` → Either install the internal CA certificate and use verify='/path/to/ca.crt', or ensure the internal network is trusted. Document the risk if disabling is intentional.	`lib/query.py:37`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	lib/query.py:7-10 import statements only
Network	`READ`	`WRITE`	✓ Aligned	SKILL.md declares curl/jq usage; code makes POST requests to internal CMDB API
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	No os.environ access found

5 findings

🔗

Medium External URL 外部 URL

https://10.255.227.233/cmdb

SKILL.md:4

🔗

Medium External URL 外部 URL

https://10.255.227.233/cmdb/v1/api/cloudresources/resource/instance/host

SKILL.md:116

🔗

Medium External URL 外部 URL

https://10.255.227.233/cmdb/v1/api/cloudresources/resource/instance/application

SKILL.md:124

🔗

Medium External URL 外部 URL

https://10.255.227.233/cmdb/v1/api/cloudresources/resource/instance/RDS_database

SKILL.md:139

🔗

Medium External URL 外部 URL

https://10.255.227.233/cmdb/v1/api

lib/query.py:13

File Tree

2 files · 10.2 KB · 369 lines

Python 1f · 193L Markdown 1f · 176L

├─ ▾ 📁 lib

│ └─ 🐍 query.py Python 193L · 5.3 KB

└─ 📝 SKILL.md Markdown 176L · 4.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip	No	No requirements.txt found; requests is used but not pinned

Security Positives

✓ No reverse shell, C2, or data exfiltration behavior observed

✓ No obfuscation (no base64, eval, or anti-analysis techniques)

✓ No credential harvesting beyond the single service account it uses

✓ No unauthorized sensitive file access (~/.ssh, ~/.aws, .env)

✓ No supply chain risks (single requests dependency, no unpinned install)

✓ Implementation matches documented behavior — no hidden functionality

✓ Token caching with expiry logic is reasonable for an internal tool

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives