openclaw-security-patrol Security Report — Suspicious | ClawSafe

38 /100

openclaw-security-patrol

OpenClaw multi-mode security audit tool with optional threat intelligence reporting to auth.ctct.cn

OpenClaw security audit skill performs legitimate security scanning but collects extensive device fingerprinting data (MAC, hostname, persistent agent_id, full skill inventory) and transmits it to auth.ctct.cn under --push mode, with persistent tracking across sessions despite well-documented consent flows.

Skill Nameopenclaw-security-patrol

Duration60.0s

Enginepi

⚠

Use with caution

Review the data collection scope carefully before consenting to --push mode. The persistent agent_id enables long-term device fingerprinting. Consider using local-only mode for privacy-sensitive environments.

Findings 5 items

Severity	Finding	Location
Medium	Extensive device fingerprinting under --push mode Data Exfil When --push is enabled, the skill transmits MAC address, hostname, persistent agent_id, and the complete installed skill inventory (with owner IDs and versions) to auth.ctct.cn. The skill list reveals all installed tools on the machine. The agent_id is a permanent, stable identifier enabling long-term device tracking across multiple manual --push invocations. `const pushObj = { report_time, status, red_item, agent_id, data: JSON_DATA.map(({ item, brief }) => ({ item, brief })) };` → Ensure users fully understand the long-term fingerprinting implications before consenting to --push. The agent_id provides server-side device history tracking.	`scripts/openclaw-hybrid-audit-changeway.js:1160`
Medium	SKILL.md declares credentials:none but script reads sensitive credential files Doc Mismatch The skill metadata declares 'credentials: none', yet the config baseline generation function reads /etc/shadow, ~/.ssh/authorized_keys, and /etc/passwd to generate file hashes. While this is used only for integrity baseline comparison (not exfiltration), it constitutes reading sensitive system credential files not declared in the credentials section. `configFiles.push('/etc/ssh/sshd_config', path.join(HOME, '.ssh/authorized_keys'), path.join(HOME, '.ssh/config'), '/etc/passwd', '/etc/shadow');` → Update credentials declaration or clarify that sensitive file access is limited to integrity baseline generation only.	`scripts/openclaw-hybrid-audit-changeway.js:285`
Medium	Unpinned Node.js runtime dependency Supply Chain SKILL.md specifies 'node>=18' without an upper bound. While Node.js LTS releases are generally stable, the absence of a maximum version constraint allows updates to potentially incompatible future versions. `runtime: "node>=18"` → Pin to a specific LTS version range (e.g., node@18 - 20) for reproducibility.	`SKILL.md:1`
Low	Gateway process environment variable scanning Sensitive Access On Linux, the script reads /proc/{gateway_pid}/environ to detect sensitive environment variable names (SECRET, TOKEN, PASSWORD, KEY, PRIVATE patterns). While it only reads names and redacts values, this is a form of process memory inspection not declared in the capability map. `const environData = fs.readFileSync(environPath, 'utf-8');` → Document this as environment:READ in the capability declaration.	`scripts/openclaw-hybrid-audit-changeway.js:395`
Low	FILTER_SKILLS_KEYWORDS silently excludes changeway-related skills from audit Doc Mismatch The script defines FILTER_SKILLS_KEYWORDS = ['changeway', 'ctct-security-patrol'] and applies this filter to the openclaw security audit output, causing these skills to be excluded from audit results. This self-serving filtering is not mentioned in SKILL.md. `let FILTER_SKILLS_KEYWORDS = ["changeway","ctct-security-patrol"];` → Document this filtering behavior or remove it to ensure transparent audit results.	`scripts/openclaw-hybrid-audit-changeway.js:308`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Local file writes to ~/.openclaw/
Network	`READ`	`READ`	✓ Aligned	SKILL.md: --push mode POSTs to auth.ctct.cn
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: 17 spawnSync calls to whitelist of read-only commands
Environment	`NONE`	`READ`	✓ Aligned	Reads /proc/PID/environ for gateway process sensitive variable names

2 findings

🔗

Medium External URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/pushAuditData

SKILL.md:32

🔗

Medium External URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/skills/assessment

SKILL.md:33

File Tree

3 files · 86.8 KB · 1973 lines

JavaScript 1f · 1447L Markdown 2f · 526L

├─ ▾ 📁 references

│ └─ 📝 cron-setup.md Markdown 154L · 5.2 KB

├─ ▾ 📁 scripts

│ └─ 📜 openclaw-hybrid-audit-changeway.js JavaScript 1447L · 61.6 KB

└─ 📝 SKILL.md Markdown 372L · 20.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`node`	`>=18`	runtime	No	No upper version bound specified

Security Positives

✓ All spawnSync calls use hardcoded command whitelists with no user-controlled input — no command injection risk

✓ Shell is explicitly disabled on Unix/Linux platforms (shell: false)

✓ On Windows, shell is only enabled for .cmd wrappers with hardcoded arguments

✓ Consent flow is well-designed: requires explicit '2 已了解' confirmation before --push mode

✓ Cron jobs are explicitly protected: --push is forbidden in cron per documentation

✓ SHA-256 integrity hash is embedded in script header for tamper verification

✓ Full data collection behavior is extensively documented in SKILL.md privacy section

✓ Replay protection via timestamp+nonce mechanism (though not device authentication)

✓ Only brief summaries uploaded, not full detail command outputs

✓ agent_id generation uses crypto.randomUUID() which is cryptographically appropriate

Scan Report

Findings 5 items

File Tree

Dependencies 1 items

Security Positives