中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:1 天前 重新扫描
45 /100
gateway-monitor-installer
Install, update, run, and remove OpenClaw Gateway Monitor + Gateway Watchdog on macOS via LaunchAgent
Skill contains undeclared external network access and reads API credentials from auth profiles to transmit to minimaxi.com, with missing template files referenced in documentation.
技能名称gateway-monitor-installer
分析耗时50.1s
引擎pi
谨慎使用
Add explicit declarations for external API calls to minimaxi.com, credential file access to ~/.openclaw/agents/main/agent/auth-profiles.json, and include the missing launchagent plist templates in the package.

安全发现 4 项

严重性 安全发现 位置
中危
Undeclared external network access 文档欺骗
The gateway-monitor-server.js makes HTTPS requests to https://www.minimaxi.com/v1/api/openplatform/coding_plan/remains without any mention in SKILL.md. This is a hidden network behavior.
MINIMAX_REMAINS_URL = process.env.MINIMAX_REMAINS_URL || 'https://www.minimaxi.com/v1/api/openplatform/coding_plan/remains'
→ Document all external API endpoints in SKILL.md capabilities section
 assets/bin/gateway-monitor-server.js:28
中危
Undeclared credential file access 敏感访问
The skill reads the MiniMax API key from ~/.openclaw/agents/main/agent/auth-profiles.json, a sensitive credential storage location, without declaring this access in documentation.
const raw = fs.readFileSync(MINIMAX_AUTH_PROFILE_PATH, 'utf8');
→ Declare access to credential files in SKILL.md or use only environment variables
 assets/bin/gateway-monitor-server.js:309
中危
Missing launchagent template files 文档欺骗
SKILL.md and install.sh reference template files at assets/launchagents/*.plist.tpl that do not exist in the package. These files are needed for the installation to succeed.
TPL_MONITOR="$ROOT_DIR/assets/launchagents/${MONITOR_LABEL}.plist.tpl"
→ Include the missing launchagent plist template files in the package
 SKILL.md:24
低危
API key transmitted to external service 数据外泄
The MiniMax API key is sent in the Authorization header to an external service (minimaxi.com). While the service appears legitimate, the transmission of credentials to external endpoints is a sensitive behavior.
Authorization: `Bearer ${keyInfo.key}`
→ Document this behavior explicitly and consider if the API call is necessary for the core functionality
 assets/bin/gateway-monitor-server.js:344
资源类型声明权限推断权限状态证据
文件系统 WRITE READ ✓ 一致 SKILL.md declares file write to ~/.openclaw/tools/
网络访问 NONE READ ✗ 越权 gateway-monitor-server.js:28 - external HTTPS call to minimaxi.com not declared
命令执行 WRITE WRITE ✓ 一致 launchctl commands in install.sh/status.sh are documented
环境变量 NONE READ ✗ 越权 gateway-monitor-server.js:309 - reads MINIMAX_CP_KEY from environment
3 项发现
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:18990
SKILL.md:40
🔗
中危 外部 URL 外部 URL
https://www.minimaxi.com/v1/api/openplatform/coding_plan/remains
assets/bin/gateway-monitor-server.js:28
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:18990/api/summary
scripts/status.sh:25

目录结构

6 文件 · 42.9 KB · 1527 行
JavaScript 1f · 1321L Shell 4f · 159L Markdown 1f · 47L
├─ 📁 assets
│ └─ 📁 bin
│ ├─ 📜 gateway-monitor-server.js JavaScript 1321L · 36.9 KB
│ └─ 🔧 gateway-watchdog.sh Shell 33L · 1.5 KB
├─ 📁 scripts
│ ├─ 🔧 install.sh Shell 69L · 1.9 KB
│ ├─ 🔧 status.sh Shell 28L · 706 B
│ └─ 🔧 uninstall.sh Shell 29L · 732 B
└─ 📝 SKILL.md Markdown 47L · 1.2 KB

安全亮点

✓ No reverse shell or C2 infrastructure detected
✓ No base64-encoded or obfuscated payloads found
✓ Uses standard macOS LaunchAgent for service management (legitimate)
✓ HTTPS used for external communication (not plaintext)
✓ No credential exfiltration to attacker-controlled infrastructure
✓ Configuration backup mechanism is sensible
✓ Error handling appears robust