cmdb-query 安全扫描报告 — 低风险 | ClawSafe

20 /100

cmdb-query

查询 CMDB 资产数据，支持按主机、应用、数据库等资源类型查询

A legitimate internal CMDB query tool with hardcoded credentials in source and documentation, and disabled SSL verification — concerning but aligned with documented purpose.

技能名称cmdb-query

分析耗时38.4s

引擎pi

✓

可以安装

Replace hardcoded credentials with environment variables or a secrets manager, and remove verify=False unless the internal CA is trusted.

安全发现 3 项

严重性	安全发现	位置
中危	Hardcoded plaintext credentials in source code 凭证窃取 lib/query.py embeds username='openclaw_read' and password='JzXCxTaDxE' as string literals. These are service account credentials that should never be stored in source code. `USERNAME = "openclaw_read" PASSWORD = "JzXCxTaDxE"` → Move credentials to environment variables (e.g. os.environ['CMDB_USERNAME']) or a secrets manager. Use a .env file excluded from version control.	`lib/query.py:14`
低危	Credentials publicly listed in SKILL.md 文档欺骗 SKILL.md explicitly lists the service account username and password in the documentation. This is a credential-exposure risk if the repo is public or leaked. `用户名: openclaw_read 密码: JzXCxTaDxE` → Remove credentials from documentation. Reference environment variables or a config file instead.	`SKILL.md:16`
低危	SSL certificate verification disabled 敏感访问 requests.post calls use verify=False, disabling TLS certificate validation. This exposes API communication to man-in-the-middle attacks. `verify=False # 跳过证书验证` → Either install the internal CA certificate and use verify='/path/to/ca.crt', or ensure the internal network is trusted. Document the risk if disabling is intentional.	`lib/query.py:37`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	lib/query.py:7-10 import statements only
网络访问	`READ`	`WRITE`	✓ 一致	SKILL.md declares curl/jq usage; code makes POST requests to internal CMDB API
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`NONE`	—	No os.environ access found

5 项发现

🔗

中危外部 URL 外部 URL

https://10.255.227.233/cmdb

SKILL.md:4

🔗

中危外部 URL 外部 URL

https://10.255.227.233/cmdb/v1/api/cloudresources/resource/instance/host

SKILL.md:116

🔗

中危外部 URL 外部 URL

https://10.255.227.233/cmdb/v1/api/cloudresources/resource/instance/application

SKILL.md:124

🔗

中危外部 URL 外部 URL

https://10.255.227.233/cmdb/v1/api/cloudresources/resource/instance/RDS_database

SKILL.md:139

🔗

中危外部 URL 外部 URL

https://10.255.227.233/cmdb/v1/api

lib/query.py:13

目录结构

2 文件 · 10.2 KB · 369 行

Python 1f · 193L Markdown 1f · 176L

├─ ▾ 📁 lib

│ └─ 🐍 query.py Python 193L · 5.3 KB

└─ 📝 SKILL.md Markdown 176L · 4.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`unpinned`	pip	否	No requirements.txt found; requests is used but not pinned

安全亮点

✓ No reverse shell, C2, or data exfiltration behavior observed

✓ No obfuscation (no base64, eval, or anti-analysis techniques)

✓ No credential harvesting beyond the single service account it uses

✓ No unauthorized sensitive file access (~/.ssh, ~/.aws, .env)

✓ No supply chain risks (single requests dependency, no unpinned install)

✓ Implementation matches documented behavior — no hidden functionality

✓ Token caching with expiry logic is reasonable for an internal tool