claw-security-suite Security Report — Low Risk | ClawSafe

25 /100

claw-security-suite

OpenClaw 四层纵深安全防御体系 — static scanning, logic auditing, runtime protection, and scheduled security patrols

The skill is a legitimate four-layer security defense suite for OpenClaw, but its SKILL.md permission declarations do not accurately reflect actual behavior — network requests to a Tencent endpoint are made without being declared in allowedTools, and filesystem write paths are undeclared.

Skill Nameclaw-security-suite

Duration58.6s

Enginepi

✓

Safe to install

Update SKILL.md to declare network:READ (cloud intel check to Tencent ClawScan) and filesystem:WRITE (patrol reports to /app/working/logs/security/). The cloud check is controllable via CLAW_SECURITY_CLOUD_ENDPOINT but is enabled by default through the hardcoded fallback.

Findings 3 items

Severity	Finding	Location
Medium	Undeclared outbound network request Doc Mismatch static_scanner.py contains a hardcoded Tencent ClawScan endpoint (https://matrix.tencent.com/clawscan/skill_security) and calls it by default when a skill_name is provided. SKILL.md declares network: NONE with no mention of this outbound call. The CHANGELOG mentions the feature but the permission matrix does not reflect it. `CLOUD_INTEL_ENDPOINT = "https://matrix.tencent.com/clawscan/skill_security"` → Update SKILL.md allowedTools section to declare network: READ. Alternatively, disable the default endpoint so cloud intel is only activated when CLAW_SECURITY_CLOUD_ENDPOINT is explicitly set.	`lib/static_scanner.py:19`
Low	Undeclared filesystem write paths Doc Mismatch security_patrol.py hardcodes two write paths (/app/working/security/baseline.json and /app/working/logs/security/) that are not mentioned in SKILL.md filesystem permissions. `BASELINE_FILE = "/app/working/security/baseline.json" REPORT_DIR = "/app/working/logs/security/"` → Declare filesystem: WRITE in SKILL.md and document the purpose of baseline/report files.	`lib/security_patrol.py:24`
Low	Security scanner reads .env pattern Sensitive Access static_scanner.py DANGEROUS_PATTERNS includes a check for 'open(..env', which is a legitimate security detection signature. No actual .env exfiltration was found — the pattern is only used for scanning other skills. `(r'open\s\(.*\.env', '警告：读取环境变量配置文件')` → No action needed — this is a detection signature, not malicious behavior. Consider clarifying in comments that this pattern is for scanning other skills, not self-exfiltration.	`lib/static_scanner.py:44`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✗ Violation	lib/static_scanner.py:19 — hardcoded Tencent endpoint, called in scan_directory(…
Filesystem	`NONE`	`WRITE`	✗ Violation	lib/security_patrol.py:24-25 — hardcoded paths /app/working/security/baseline.js…
Filesystem	`NONE`	`READ`	✓ Aligned	lib/static_scanner.py:75-95, lib/logic_auditor.py:88-108 — scans arbitrary direc…
Shell	`NONE`	`NONE`	—	No subprocess/os.system calls found — DANGEROUS_PATTERNS are detection signature…

6 findings

🔗

Medium External URL 外部 URL

http://169\.254\.169\.254

lib/runtime_protector.py:56

🔗

Medium External URL 外部 URL

http://127\.0\.0\.1

lib/runtime_protector.py:57

🔗

Medium External URL 外部 URL

http://172\.(1[6-9

lib/runtime_protector.py:60

🔗

Medium External URL 外部 URL

http://192\.168\.

lib/runtime_protector.py:61

🔗

Medium External URL 外部 URL

https://matrix.tencent.com/clawscan/skill_security

lib/static_scanner.py:17

🔗

Medium External URL 外部 URL

https://matrix.tencent.com/clawscan/skill_security?skill_name=

references/security-policy.md:12

File Tree

10 files · 35.4 KB · 1034 lines

Python 5f · 785L Markdown 3f · 237L Text 1f · 7L JSON 1f · 5L

├─ ▾ 📁 lib

│ ├─ 🐍 __init__.py Python 18L · 687 B

│ ├─ 🐍 logic_auditor.py Python 169L · 5.6 KB

│ ├─ 🐍 runtime_protector.py Python 174L · 5.1 KB

│ ├─ 🐍 security_patrol.py Python 210L · 7.2 KB

│ └─ 🐍 static_scanner.py Python 214L · 7.9 KB

├─ ▾ 📁 references

│ └─ 📝 security-policy.md Markdown 67L · 3.4 KB

├─ 📋 _meta.json JSON 5L · 138 B

├─ 📝 CHANGELOG.md Markdown 55L · 1.7 KB

├─ 📄 requirements.txt Text 7L · 287 B

└─ 📝 SKILL.md Markdown 115L · 3.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none`	`N/A`	standard library only	No	No pip dependencies — uses only os, re, hashlib, json, urllib from stdlib

Security Positives

✓ No subprocess, os.system, or shell execution found — the skill is entirely Python-based

✓ No credential harvesting or environment variable exfiltration

✓ No base64/encoded payloads or obfuscation techniques

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No supply chain risks — no external dependencies (all standard library)

✓ Cloud intel sends only skill_name and source, no local files or credentials

✓ All functionality (scanning, auditing, runtime protection, patrol) is legitimate and documented across CHANGELOG and references/

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives