中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:18 小时前 重新扫描
25 /100
claw-security-suite
OpenClaw 四层纵深安全防御体系 — static scanning, logic auditing, runtime protection, and scheduled security patrols
The skill is a legitimate four-layer security defense suite for OpenClaw, but its SKILL.md permission declarations do not accurately reflect actual behavior — network requests to a Tencent endpoint are made without being declared in allowedTools, and filesystem write paths are undeclared.
技能名称claw-security-suite
分析耗时58.6s
引擎pi
可以安装
Update SKILL.md to declare network:READ (cloud intel check to Tencent ClawScan) and filesystem:WRITE (patrol reports to /app/working/logs/security/). The cloud check is controllable via CLAW_SECURITY_CLOUD_ENDPOINT but is enabled by default through the hardcoded fallback.

安全发现 3 项

严重性 安全发现 位置
中危
Undeclared outbound network request 文档欺骗
static_scanner.py contains a hardcoded Tencent ClawScan endpoint (https://matrix.tencent.com/clawscan/skill_security) and calls it by default when a skill_name is provided. SKILL.md declares network: NONE with no mention of this outbound call. The CHANGELOG mentions the feature but the permission matrix does not reflect it.
CLOUD_INTEL_ENDPOINT = "https://matrix.tencent.com/clawscan/skill_security"
→ Update SKILL.md allowedTools section to declare network: READ. Alternatively, disable the default endpoint so cloud intel is only activated when CLAW_SECURITY_CLOUD_ENDPOINT is explicitly set.
 lib/static_scanner.py:19
低危
Undeclared filesystem write paths 文档欺骗
security_patrol.py hardcodes two write paths (/app/working/security/baseline.json and /app/working/logs/security/) that are not mentioned in SKILL.md filesystem permissions.
BASELINE_FILE = "/app/working/security/baseline.json"
REPORT_DIR = "/app/working/logs/security/"
→ Declare filesystem: WRITE in SKILL.md and document the purpose of baseline/report files.
 lib/security_patrol.py:24
低危
Security scanner reads .env pattern 敏感访问
static_scanner.py DANGEROUS_PATTERNS includes a check for 'open(.*.env', which is a legitimate security detection signature. No actual .env exfiltration was found — the pattern is only used for scanning other skills.
(r'open\s*\(.*\.env', '警告:读取环境变量配置文件')
→ No action needed — this is a detection signature, not malicious behavior. Consider clarifying in comments that this pattern is for scanning other skills, not self-exfiltration.
 lib/static_scanner.py:44
资源类型声明权限推断权限状态证据
网络访问 NONE READ ✗ 越权 lib/static_scanner.py:19 — hardcoded Tencent endpoint, called in scan_directory(…
文件系统 NONE WRITE ✗ 越权 lib/security_patrol.py:24-25 — hardcoded paths /app/working/security/baseline.js…
文件系统 NONE READ ✓ 一致 lib/static_scanner.py:75-95, lib/logic_auditor.py:88-108 — scans arbitrary direc…
命令执行 NONE NONE No subprocess/os.system calls found — DANGEROUS_PATTERNS are detection signature…
6 项发现
🔗
中危 外部 URL 外部 URL
http://169\.254\.169\.254
lib/runtime_protector.py:56
🔗
中危 外部 URL 外部 URL
http://127\.0\.0\.1
lib/runtime_protector.py:57
🔗
中危 外部 URL 外部 URL
http://172\.(1[6-9
lib/runtime_protector.py:60
🔗
中危 外部 URL 外部 URL
http://192\.168\.
lib/runtime_protector.py:61
🔗
中危 外部 URL 外部 URL
https://matrix.tencent.com/clawscan/skill_security
lib/static_scanner.py:17
🔗
中危 外部 URL 外部 URL
https://matrix.tencent.com/clawscan/skill_security?skill_name=
references/security-policy.md:12

目录结构

10 文件 · 35.4 KB · 1034 行
Python 5f · 785L Markdown 3f · 237L Text 1f · 7L JSON 1f · 5L
├─ 📁 lib
│ ├─ 🐍 __init__.py Python 18L · 687 B
│ ├─ 🐍 logic_auditor.py Python 169L · 5.6 KB
│ ├─ 🐍 runtime_protector.py Python 174L · 5.1 KB
│ ├─ 🐍 security_patrol.py Python 210L · 7.2 KB
│ └─ 🐍 static_scanner.py Python 214L · 7.9 KB
├─ 📁 references
│ └─ 📝 security-policy.md Markdown 67L · 3.4 KB
├─ 📋 _meta.json JSON 5L · 138 B
├─ 📝 CHANGELOG.md Markdown 55L · 1.7 KB
├─ 📄 requirements.txt Text 7L · 287 B
└─ 📝 SKILL.md Markdown 115L · 3.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
none N/A standard library only No pip dependencies — uses only os, re, hashlib, json, urllib from stdlib

安全亮点

✓ No subprocess, os.system, or shell execution found — the skill is entirely Python-based
✓ No credential harvesting or environment variable exfiltration
✓ No base64/encoded payloads or obfuscation techniques
✓ No persistence mechanisms (cron, startup hooks, backdoors)
✓ No supply chain risks — no external dependencies (all standard library)
✓ Cloud intel sends only skill_name and source, no local files or credentials
✓ All functionality (scanning, auditing, runtime protection, patrol) is legitimate and documented across CHANGELOG and references/