中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
openclaw-manager
OpenClaw-native local control plane and durable state sidecar with thread shadow observation, session management, and connector normalization
OpenClaw Manager is a well-architected local control plane skill with strong security controls including loopback-only networking, consent-gated autostart, and no external data exfiltration.
技能名称openclaw-manager
分析耗时47.7s
引擎pi
可以安装
The skill is safe to use. Ensure OPENCLAW_MANAGER_ALLOW_REMOTE_SIDECAR is not set in untrusted environments and review connector configurations before enabling external integrations.

安全发现 1 项

严重性 安全发现 位置
低危
Dependency version not exact-pinned
Express uses ^5.1.0 instead of exact version. While not a security issue, exact pinning provides better reproducibility.
"express": "^5.1.0"
→ Consider using exact version "5.1.0" or similar for production deployments
 package.json:27
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 FsStore writes to ~/.openclaw/skills/manager/
网络访问 NONE READ ✓ 一致 Health check only to loopback /health endpoint
命令执行 NONE NONE Uses spawn with shell:false to launch only known local entrypoints
环境变量 READ READ ✓ 一致 Only reads local manager config vars (STATE_ROOT, BIND_HOST, etc.)
技能调用 NONE NONE No skill invocation observed
剪贴板 NONE NONE No clipboard access observed
浏览器 NONE NONE No browser access observed
数据库 NONE NONE Uses filesystem-only JSONL storage
6 项发现
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:4318
README.md:113
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:4318/health
README.md:378
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:
SECURITY.md:36
🔗
中危 外部 URL 外部 URL
https://opencollective.com/express
package-lock.json:598
🔗
中危 外部 URL 外部 URL
https://json-schema.org/draft/2020-12/schema
schemas/capability-fact.schema.json:2
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:45218
scripts/security-smoke.cjs:39

目录结构

63 文件 · 232.2 KB · 7061 行
TypeScript 37f · 4057L JSON 8f · 1652L Markdown 13f · 894L JavaScript 2f · 323L Shell 1f · 103L YAML 2f · 32L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 3L · 312 B
├─ 📁 docs
│ ├─ 📝 architecture.md Markdown 32L · 1.1 KB
│ ├─ 📝 capability-facts.md Markdown 35L · 704 B
│ ├─ 📝 connector-protocol.md Markdown 42L · 1.3 KB
│ ├─ 📝 event-schema.md Markdown 33L · 635 B
│ ├─ 📝 security-audit-response.md Markdown 83L · 2.8 KB
│ └─ 📝 session-model.md Markdown 58L · 1.0 KB
├─ 📁 schemas
│ ├─ 📋 capability-fact.schema.json JSON 17L · 625 B
│ ├─ 📋 event.schema.json JSON 15L · 436 B
│ ├─ 📋 run.schema.json JSON 16L · 480 B
│ ├─ 📋 session.schema.json JSON 24L · 1002 B
│ └─ 📋 skill-trace.schema.json JSON 18L · 570 B
├─ 📁 scripts
│ ├─ 🔧 install.sh Shell 103L · 2.9 KB
│ ├─ 📜 security-smoke.cjs JavaScript 88L · 3.4 KB
│ └─ 📜 smoke-test.cjs JavaScript 235L · 9.5 KB
├─ 📁 src
│ ├─ 📁 api
│ │ ├─ 📜 health.ts TypeScript 19L · 638 B
│ │ ├─ 📜 inbound.ts TypeScript 41L · 1.4 KB
│ │ └─ 📜 server.ts TypeScript 289L · 10.2 KB
│ ├─ 📁 connectors
│ │ ├─ 📜 base.ts TypeScript 48L · 1.7 KB
│ │ ├─ 📜 email.ts TypeScript 40L · 1.7 KB
│ │ ├─ 📜 github.ts TypeScript 42L · 2.1 KB
│ │ ├─ 📜 registry.ts TypeScript 16L · 537 B
│ │ ├─ 📜 telegram.ts TypeScript 39L · 1.8 KB
│ │ └─ 📜 wecom.ts TypeScript 39L · 1.7 KB
│ ├─ 📁 control-plane
│ │ ├─ 📜 attention-service.ts TypeScript 280L · 9.6 KB
│ │ ├─ 📜 binding-service.ts TypeScript 62L · 2.2 KB
│ │ ├─ 📜 checkpoint-service.ts TypeScript 60L · 2.5 KB
│ │ ├─ 📜 event-service.ts TypeScript 37L · 1.3 KB
│ │ ├─ 📜 run-service.ts TypeScript 70L · 2.4 KB
│ │ ├─ 📜 session-service.ts TypeScript 386L · 13.8 KB
│ │ ├─ 📜 shadow-classifier.ts TypeScript 242L · 7.7 KB
│ │ ├─ 📜 shadow-service.ts TypeScript 565L · 20.8 KB
│ │ ├─ 📜 share-service.ts TypeScript 103L · 4.1 KB
│ │ └─ 📜 spool-service.ts TypeScript 34L · 1.2 KB
│ ├─ 📁 exporters
│ │ ├─ 📜 markdown-report.ts TypeScript 77L · 2.8 KB
│ │ └─ 📜 snapshot-html.ts TypeScript 82L · 3.1 KB
│ ├─ 📁 skill
│ │ ├─ 📜 autostart-consent.ts TypeScript 43L · 1.2 KB
│ │ ├─ 📜 bootstrap.ts TypeScript 216L · 6.3 KB
│ │ ├─ 📜 commands.ts TypeScript 112L · 5.0 KB
│ │ ├─ 📜 hooks.ts TypeScript 50L · 1.8 KB
│ │ ├─ 📜 local-config.ts TypeScript 79L · 2.7 KB
│ │ ├─ 📜 sidecar-health.ts TypeScript 10L · 245 B
│ │ └─ 📜 sidecar-launcher.ts TypeScript 36L · 956 B
│ ├─ 📁 storage
│ │ ├─ 📜 fs-store.ts TypeScript 217L · 6.0 KB
│ │ ├─ 📜 indexes.ts TypeScript 23L · 995 B
│ │ └─ 📜 locks.ts TypeScript 22L · 530 B
│ ├─ 📁 telemetry
│ │ ├─ 📜 capability-facts.ts TypeScript 105L · 4.3 KB
│ │ ├─ 📜 capability-graph.ts TypeScript 99L · 3.2 KB
│ │ ├─ 📜 closure-metrics.ts TypeScript 16L · 883 B
│ │ ├─ 📜 scenario-tagging.ts TypeScript 13L · 432 B
│ │ └─ 📜 skill-trace.ts TypeScript 63L · 2.1 KB
│ └─ 📜 types.ts TypeScript 382L · 9.0 KB
├─ 📁 templates
│ ├─ 📝 capability-report.md Markdown 4L · 31 B
│ ├─ 📝 focus-digest.md Markdown 4L · 40 B
│ └─ 📝 session-summary.md Markdown 20L · 221 B
├─ 📝 AGENTS.md Markdown 27L · 1.2 KB
├─ 📋 package-lock.json JSON 1497L · 48.8 KB
├─ 📋 package.json JSON 48L · 1.3 KB
├─ 📝 README.md Markdown 405L · 9.7 KB
├─ 📝 SECURITY.md Markdown 114L · 3.0 KB
├─ 📝 SKILL.md Markdown 37L · 1.4 KB
├─ 📋 skill.yaml YAML 29L · 674 B
└─ 📋 tsconfig.json JSON 17L · 362 B

依赖分析 3 项

包名版本来源已知漏洞备注
express ^5.1.0 npm Version not exact-pinned, using caret range
tsx ^4.20.5 npm Dev dependency for TypeScript execution
typescript ^5.9.2 npm Dev dependency for type checking

安全亮点

✓ Sidecar binds to 127.0.0.1 loopback-only by default with explicit rejection of non-loopback URLs
✓ Autostart requires explicit one-time consent before the sidecar can auto-launch
✓ Process spawning uses shell:false and only targets known local entrypoints (dist/api/server.js or tsx src/api/server.ts)
✓ All state stays local in ~/.openclaw/skills/manager/ with no exfiltration to remote servers
✓ Connectors are adapter-only (normalization) and do not make external requests by default
✓ Security smoke tests validate all critical security invariants including consent, bind host, and launcher constraints
✓ SECURITY.md documents all environment variables and their local-only usage
✓ No base64 encoding, eval(), or other suspicious code patterns observed
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
✓ Capability facts are anonymized by default before export