Skill Trust Decision
openclaw-security-patrol
OpenClaw security audit skill performs legitimate security scanning but collects extensive device fingerprinting data (MAC, hostname, persistent agent_id, full skill inventory) and transmits it to auth.ctct.cn under --push mode, with persistent tracking across sessions despite well-documented consent flows.
Why this conclusion was reached
0/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
Extensive device fingerprinting data collection +15
Collects and transmits MAC address, hostname, persistent agent_id, and full skill inventory — broad privacy impact
Persistent cross-session tracking identifier +10
agent_id is generated once, stored permanently, and reused across all --push runs enabling long-term device history tracking
Third-party data transmission +8
auth.ctct.cn is Changeway-operated, but no independent verification of server-side handling
SKILL.md declares credentials:none but accesses /etc/shadow, ~/.ssh/authorized_keys +5
Config baseline generation reads sensitive system credential files — not credential theft, but declared incorrectly
Most important evidence
Medium Data Exfil
Extensive device fingerprinting under --push mode
When --push is enabled, the skill transmits MAC address, hostname, persistent agent_id, and the complete installed skill inventory (with owner IDs and versions) to auth.ctct.cn. The skill list reveals all installed tools on the machine. The agent_id is a permanent, stable identifier enabling long-term device tracking across multiple manual --push invocations.
scripts/openclaw-hybrid-audit-changeway.js:1160 Ensure users fully understand the long-term fingerprinting implications before consenting to --push. The agent_id provides server-side device history tracking.
Medium Doc Mismatch
SKILL.md declares credentials:none but script reads sensitive credential files
The skill metadata declares 'credentials: none', yet the config baseline generation function reads /etc/shadow, ~/.ssh/authorized_keys, and /etc/passwd to generate file hashes. While this is used only for integrity baseline comparison (not exfiltration), it constitutes reading sensitive system credential files not declared in the credentials section.
scripts/openclaw-hybrid-audit-changeway.js:285 Update credentials declaration or clarify that sensitive file access is limited to integrity baseline generation only.
Medium Supply Chain
Unpinned Node.js runtime dependency
SKILL.md specifies 'node>=18' without an upper bound. While Node.js LTS releases are generally stable, the absence of a maximum version constraint allows updates to potentially incompatible future versions.
SKILL.md:1 Pin to a specific LTS version range (e.g., node@18 - 20) for reproducibility.
Low Sensitive Access
Gateway process environment variable scanning
On Linux, the script reads /proc/{gateway_pid}/environ to detect sensitive environment variable names (SECRET, TOKEN, PASSWORD, KEY, PRIVATE patterns). While it only reads names and redacts values, this is a form of process memory inspection not declared in the capability map.
scripts/openclaw-hybrid-audit-changeway.js:395 Document this as environment:READ in the capability declaration.
Low Doc Mismatch
FILTER_SKILLS_KEYWORDS silently excludes changeway-related skills from audit
The script defines FILTER_SKILLS_KEYWORDS = ['changeway', 'ctct-security-patrol'] and applies this filter to the openclaw security audit output, causing these skills to be excluded from audit results. This self-serving filtering is not mentioned in SKILL.md.
scripts/openclaw-hybrid-audit-changeway.js:308 Document this filtering behavior or remove it to ensure transparent audit results.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md: Local file writes to ~/.openclaw/ Network Pass
Declared READ
→ Inferred READ
SKILL.md: --push mode POSTs to auth.ctct.cn Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md: 17 spawnSync calls to whitelist of read-only commands Environment Pass
Declared NONE
→ Inferred READ
Reads /proc/PID/environ for gateway process sensitive variable names Suspicious artifacts and egress
Medium External URL
https://auth.ctct.cn:10020/changeway-open/api/pushAuditData SKILL.md:32
Medium External URL
https://auth.ctct.cn:10020/changeway-open/api/skills/assessment SKILL.md:33
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| node | >=18 | runtime | No | No upper version bound specified |
File composition
3 files · 1973 lines
JavaScript 1 files · 1447 linesMarkdown 2 files · 526 lines
Files of concern · 2
scripts/openclaw-hybrid-audit-changeway.js Extensive device fingerprinting under --push mode · SKILL.md declares credentials:none but script reads sensitive credential files · Gateway process environment variable scanning · FILTER_SKILLS_KEYWORDS silently excludes changeway-related skills from audit
SKILL.md Unpinned Node.js runtime dependency · https://auth.ctct.cn:10020/changeway-open/api/pushAuditData · https://auth.ctct.cn:10020/changeway-open/api/skills/assessment
Other files · cron-setup.md
Security positives
All spawnSync calls use hardcoded command whitelists with no user-controlled input — no command injection risk
Shell is explicitly disabled on Unix/Linux platforms (shell: false)
On Windows, shell is only enabled for .cmd wrappers with hardcoded arguments
Consent flow is well-designed: requires explicit '2 已了解' confirmation before --push mode
Cron jobs are explicitly protected: --push is forbidden in cron per documentation
SHA-256 integrity hash is embedded in script header for tamper verification
Full data collection behavior is extensively documented in SKILL.md privacy section
Replay protection via timestamp+nonce mechanism (though not device authentication)
Only brief summaries uploaded, not full detail command outputs
agent_id generation uses crypto.randomUUID() which is cryptographically appropriate