paw-chat 安全扫描报告 — 可信 | ClawSafe

5 /100

paw-chat

Install and manage Paw - a standalone web chat frontend for OpenClaw Gateway

Paw Chat is a legitimate static web chat frontend for OpenClaw Gateway. All shell scripts are documented and necessary. No credential theft, data exfiltration, obfuscation, or hidden functionality. Zero npm dependencies, zero malicious indicators.

技能名称paw-chat

分析耗时38.8s

引擎pi

✓

可以安装

This skill is safe to use. Shell execution (start.sh, install.sh) is declared in SKILL.md and serves legitimate purposes (local HTTP server, deployment to Gateway directory). No action required.

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares file write to ~/.openclaw/ and local serve directory
命令执行	`WRITE`	`WRITE`	✓ 一致	start.sh:1 uses bash for python http.server; install.sh:1 uses bash for file cop…
网络访问	`READ`	`READ`	✓ 一致	paw-app.js:2323 references highlightjs.org CDN (external URL)
环境变量	`NONE`	`NONE`	—	No os.environ access in JS code
数据库	`NONE`	`NONE`	—	No database access
剪贴板	`READ`	`READ`	✓ 一致	paw-app.js:1745 handles clipboard paste for images
浏览器	`NONE`	`READ`	✓ 一致	Standard browser API usage (localStorage, WebSocket)
技能调用	`NONE`	`NONE`	—	No skill_invoke usage

9 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/OpenClaw-Paw-blue?style=for-the-badge

README.md:4

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-green?style=flat-square

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Zero-Dependencies-orange?style=flat-square

README.md:6

🔗

中危外部 URL 外部 URL

https://openclaw.ai

README.md:147

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai

README.md:148

🔗

中危外部 URL 外部 URL

https://discord.com/invite/clawd

README.md:150

🔗

中危外部 URL 外部 URL

https://www.python.org/downloads/

assets/paw-app.js:2323

🔗

中危外部 URL 外部 URL

https://highlightjs.org/

assets/paw-app.js:2387

📧

提示邮箱邮箱地址

[email protected]

assets/highlight.min.js:3

目录结构

10 文件 · 300.2 KB · 5050 行

JavaScript 3f · 3856L HTML 1f · 791L Markdown 2f · 254L Shell 2f · 94L JSON 1f · 46L CSS 1f · 9L

├─ ▾ 📁 assets

│ ├─ 📄 github-dark.min.css CSS 9L · 1.3 KB

│ ├─ 📜 highlight.min.js JavaScript 1243L · 124.5 KB

│ ├─ 📄 index.html HTML 791L · 34.7 KB

│ ├─ 📜 marked.min.js JavaScript 69L · 39.0 KB

│ ├─ 📜 paw-app.js JavaScript 2544L · 90.5 KB

│ └─ 🔧 start.sh Shell 46L · 1.2 KB

├─ ▾ 📁 scripts

│ └─ 🔧 install.sh Shell 48L · 1.3 KB

├─ 📋 package.json JSON 46L · 940 B

├─ 📝 README.md Markdown 153L · 3.9 KB

└─ 📝 SKILL.md Markdown 101L · 2.8 KB

安全亮点

✓ No credential theft or environment variable harvesting

✓ No data exfiltration or C2 communication

✓ No obfuscation (base64, eval, atob) or anti-analysis techniques

✓ Zero npm dependencies — no supply chain attack surface

✓ SKILL.md accurately describes all shell script behavior

✓ WebSocket connects only to user-configured Gateway URL

✓ Configuration stored only in browser localStorage

✓ All file writes are user-directed (Gateway directory or local serve)

✓ Pure static frontend — no server-side code

✓ Shell scripts execute only local Python http.server (no remote code)

✓ ZIP download feature builds package locally from served files

✓ Code is readable and well-structured (no minified malicious payloads)