openclaw-manager Security Report — Trusted | ClawSafe

5 /100

openclaw-manager

OpenClaw-native local control plane and durable state sidecar with thread shadow observation, session management, and connector normalization

OpenClaw Manager is a well-architected local control plane skill with strong security controls including loopback-only networking, consent-gated autostart, and no external data exfiltration.

Skill Nameopenclaw-manager

Duration47.7s

Enginepi

✓

Safe to install

The skill is safe to use. Ensure OPENCLAW_MANAGER_ALLOW_REMOTE_SIDECAR is not set in untrusted environments and review connector configurations before enabling external integrations.

Findings 1 items

Severity	Finding	Location
Low	Dependency version not exact-pinned Express uses ^5.1.0 instead of exact version. While not a security issue, exact pinning provides better reproducibility. `"express": "^5.1.0"` → Consider using exact version "5.1.0" or similar for production deployments	`package.json:27`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	FsStore writes to ~/.openclaw/skills/manager/
Network	`NONE`	`READ`	✓ Aligned	Health check only to loopback /health endpoint
Shell	`NONE`	`NONE`	—	Uses spawn with shell:false to launch only known local entrypoints
Environment	`READ`	`READ`	✓ Aligned	Only reads local manager config vars (STATE_ROOT, BIND_HOST, etc.)
Skill Invoke	`NONE`	`NONE`	—	No skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access observed
Browser	`NONE`	`NONE`	—	No browser access observed
Database	`NONE`	`NONE`	—	Uses filesystem-only JSONL storage

6 findings

🔗

Medium External URL 外部 URL

http://127.0.0.1:4318

README.md:113

🔗

Medium External URL 外部 URL

http://127.0.0.1:4318/health

README.md:378

🔗

Medium External URL 外部 URL

http://127.0.0.1:

SECURITY.md:36

🔗

Medium External URL 外部 URL

https://opencollective.com/express

package-lock.json:598

🔗

Medium External URL 外部 URL

https://json-schema.org/draft/2020-12/schema

schemas/capability-fact.schema.json:2

🔗

Medium External URL 外部 URL

http://127.0.0.1:45218

scripts/security-smoke.cjs:39

File Tree

63 files · 232.2 KB · 7061 lines

TypeScript 37f · 4057L JSON 8f · 1652L Markdown 13f · 894L JavaScript 2f · 323L Shell 1f · 103L YAML 2f · 32L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 3L · 312 B

├─ ▾ 📁 docs

│ ├─ 📝 architecture.md Markdown 32L · 1.1 KB

│ ├─ 📝 capability-facts.md Markdown 35L · 704 B

│ ├─ 📝 connector-protocol.md Markdown 42L · 1.3 KB

│ ├─ 📝 event-schema.md Markdown 33L · 635 B

│ ├─ 📝 security-audit-response.md Markdown 83L · 2.8 KB

│ └─ 📝 session-model.md Markdown 58L · 1.0 KB

├─ ▾ 📁 schemas

│ ├─ 📋 capability-fact.schema.json JSON 17L · 625 B

│ ├─ 📋 event.schema.json JSON 15L · 436 B

│ ├─ 📋 run.schema.json JSON 16L · 480 B

│ ├─ 📋 session.schema.json JSON 24L · 1002 B

│ └─ 📋 skill-trace.schema.json JSON 18L · 570 B

├─ ▾ 📁 scripts

│ ├─ 🔧 install.sh Shell 103L · 2.9 KB

│ ├─ 📜 security-smoke.cjs JavaScript 88L · 3.4 KB

│ └─ 📜 smoke-test.cjs JavaScript 235L · 9.5 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 api

│ │ ├─ 📜 health.ts TypeScript 19L · 638 B

│ │ ├─ 📜 inbound.ts TypeScript 41L · 1.4 KB

│ │ └─ 📜 server.ts TypeScript 289L · 10.2 KB

│ ├─ ▾ 📁 connectors

│ │ ├─ 📜 base.ts TypeScript 48L · 1.7 KB

│ │ ├─ 📜 email.ts TypeScript 40L · 1.7 KB

│ │ ├─ 📜 github.ts TypeScript 42L · 2.1 KB

│ │ ├─ 📜 registry.ts TypeScript 16L · 537 B

│ │ ├─ 📜 telegram.ts TypeScript 39L · 1.8 KB

│ │ └─ 📜 wecom.ts TypeScript 39L · 1.7 KB

│ ├─ ▾ 📁 control-plane

│ │ ├─ 📜 attention-service.ts TypeScript 280L · 9.6 KB

│ │ ├─ 📜 binding-service.ts TypeScript 62L · 2.2 KB

│ │ ├─ 📜 checkpoint-service.ts TypeScript 60L · 2.5 KB

│ │ ├─ 📜 event-service.ts TypeScript 37L · 1.3 KB

│ │ ├─ 📜 run-service.ts TypeScript 70L · 2.4 KB

│ │ ├─ 📜 session-service.ts TypeScript 386L · 13.8 KB

│ │ ├─ 📜 shadow-classifier.ts TypeScript 242L · 7.7 KB

│ │ ├─ 📜 shadow-service.ts TypeScript 565L · 20.8 KB

│ │ ├─ 📜 share-service.ts TypeScript 103L · 4.1 KB

│ │ └─ 📜 spool-service.ts TypeScript 34L · 1.2 KB

│ ├─ ▾ 📁 exporters

│ │ ├─ 📜 markdown-report.ts TypeScript 77L · 2.8 KB

│ │ └─ 📜 snapshot-html.ts TypeScript 82L · 3.1 KB

│ ├─ ▾ 📁 skill

│ │ ├─ 📜 autostart-consent.ts TypeScript 43L · 1.2 KB

│ │ ├─ 📜 bootstrap.ts TypeScript 216L · 6.3 KB

│ │ ├─ 📜 commands.ts TypeScript 112L · 5.0 KB

│ │ ├─ 📜 hooks.ts TypeScript 50L · 1.8 KB

│ │ ├─ 📜 local-config.ts TypeScript 79L · 2.7 KB

│ │ ├─ 📜 sidecar-health.ts TypeScript 10L · 245 B

│ │ └─ 📜 sidecar-launcher.ts TypeScript 36L · 956 B

│ ├─ ▾ 📁 storage

│ │ ├─ 📜 fs-store.ts TypeScript 217L · 6.0 KB

│ │ ├─ 📜 indexes.ts TypeScript 23L · 995 B

│ │ └─ 📜 locks.ts TypeScript 22L · 530 B

│ ├─ ▾ 📁 telemetry

│ │ ├─ 📜 capability-facts.ts TypeScript 105L · 4.3 KB

│ │ ├─ 📜 capability-graph.ts TypeScript 99L · 3.2 KB

│ │ ├─ 📜 closure-metrics.ts TypeScript 16L · 883 B

│ │ ├─ 📜 scenario-tagging.ts TypeScript 13L · 432 B

│ │ └─ 📜 skill-trace.ts TypeScript 63L · 2.1 KB

│ └─ 📜 types.ts TypeScript 382L · 9.0 KB

├─ ▾ 📁 templates

│ ├─ 📝 capability-report.md Markdown 4L · 31 B

│ ├─ 📝 focus-digest.md Markdown 4L · 40 B

│ └─ 📝 session-summary.md Markdown 20L · 221 B

├─ 📝 AGENTS.md Markdown 27L · 1.2 KB

├─ 📋 package-lock.json JSON 1497L · 48.8 KB

├─ 📋 package.json JSON 48L · 1.3 KB

├─ 📝 README.md Markdown 405L · 9.7 KB

├─ 📝 SECURITY.md Markdown 114L · 3.0 KB

├─ 📝 SKILL.md Markdown 37L · 1.4 KB

├─ 📋 skill.yaml YAML 29L · 674 B

└─ 📋 tsconfig.json JSON 17L · 362 B

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`express`	`^5.1.0`	npm	No	Version not exact-pinned, using caret range
`tsx`	`^4.20.5`	npm	No	Dev dependency for TypeScript execution
`typescript`	`^5.9.2`	npm	No	Dev dependency for type checking

Security Positives

✓ Sidecar binds to 127.0.0.1 loopback-only by default with explicit rejection of non-loopback URLs

✓ Autostart requires explicit one-time consent before the sidecar can auto-launch

✓ Process spawning uses shell:false and only targets known local entrypoints (dist/api/server.js or tsx src/api/server.ts)

✓ All state stays local in ~/.openclaw/skills/manager/ with no exfiltration to remote servers

✓ Connectors are adapter-only (normalization) and do not make external requests by default

✓ Security smoke tests validate all critical security invariants including consent, bind host, and launcher constraints

✓ SECURITY.md documents all environment variables and their local-only usage

✓ No base64 encoding, eval(), or other suspicious code patterns observed

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths

✓ Capability facts are anonymized by default before export

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives