安全决策报告
openclaw-security-patrol
OpenClaw security audit skill performs legitimate security scanning but collects extensive device fingerprinting data (MAC, hostname, persistent agent_id, full skill inventory) and transmits it to auth.ctct.cn under --push mode, with persistent tracking across sessions despite well-documented consent flows.
为什么得出这个结论
0/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Extensive device fingerprinting data collection +15
Collects and transmits MAC address, hostname, persistent agent_id, and full skill inventory — broad privacy impact
Persistent cross-session tracking identifier +10
agent_id is generated once, stored permanently, and reused across all --push runs enabling long-term device history tracking
Third-party data transmission +8
auth.ctct.cn is Changeway-operated, but no independent verification of server-side handling
SKILL.md declares credentials:none but accesses /etc/shadow, ~/.ssh/authorized_keys +5
Config baseline generation reads sensitive system credential files — not credential theft, but declared incorrectly
最关键的证据
中危 数据外泄
Extensive device fingerprinting under --push mode
When --push is enabled, the skill transmits MAC address, hostname, persistent agent_id, and the complete installed skill inventory (with owner IDs and versions) to auth.ctct.cn. The skill list reveals all installed tools on the machine. The agent_id is a permanent, stable identifier enabling long-term device tracking across multiple manual --push invocations.
scripts/openclaw-hybrid-audit-changeway.js:1160 Ensure users fully understand the long-term fingerprinting implications before consenting to --push. The agent_id provides server-side device history tracking.
中危 文档欺骗
SKILL.md declares credentials:none but script reads sensitive credential files
The skill metadata declares 'credentials: none', yet the config baseline generation function reads /etc/shadow, ~/.ssh/authorized_keys, and /etc/passwd to generate file hashes. While this is used only for integrity baseline comparison (not exfiltration), it constitutes reading sensitive system credential files not declared in the credentials section.
scripts/openclaw-hybrid-audit-changeway.js:285 Update credentials declaration or clarify that sensitive file access is limited to integrity baseline generation only.
中危 供应链
Unpinned Node.js runtime dependency
SKILL.md specifies 'node>=18' without an upper bound. While Node.js LTS releases are generally stable, the absence of a maximum version constraint allows updates to potentially incompatible future versions.
SKILL.md:1 Pin to a specific LTS version range (e.g., node@18 - 20) for reproducibility.
低危 敏感访问
Gateway process environment variable scanning
On Linux, the script reads /proc/{gateway_pid}/environ to detect sensitive environment variable names (SECRET, TOKEN, PASSWORD, KEY, PRIVATE patterns). While it only reads names and redacts values, this is a form of process memory inspection not declared in the capability map.
scripts/openclaw-hybrid-audit-changeway.js:395 Document this as environment:READ in the capability declaration.
低危 文档欺骗
FILTER_SKILLS_KEYWORDS silently excludes changeway-related skills from audit
The script defines FILTER_SKILLS_KEYWORDS = ['changeway', 'ctct-security-patrol'] and applies this filter to the openclaw security audit output, causing these skills to be excluded from audit results. This self-serving filtering is not mentioned in SKILL.md.
scripts/openclaw-hybrid-audit-changeway.js:308 Document this filtering behavior or remove it to ensure transparent audit results.
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
SKILL.md: Local file writes to ~/.openclaw/ 网络访问 通过
声明 READ
→ 推断 READ
SKILL.md: --push mode POSTs to auth.ctct.cn 命令执行 通过
声明 WRITE
→ 推断 WRITE
SKILL.md: 17 spawnSync calls to whitelist of read-only commands 环境变量 通过
声明 NONE
→ 推断 READ
Reads /proc/PID/environ for gateway process sensitive variable names 可疑产物与外联
中危 外部 URL
https://auth.ctct.cn:10020/changeway-open/api/pushAuditData SKILL.md:32
中危 外部 URL
https://auth.ctct.cn:10020/changeway-open/api/skills/assessment SKILL.md:33
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| node | >=18 | runtime | 否 | No upper version bound specified |
文件构成
3 个文件 · 1973 行
JavaScript 1 个文件 · 1447 行Markdown 2 个文件 · 526 行
需关注文件 · 2
scripts/openclaw-hybrid-audit-changeway.js Extensive device fingerprinting under --push mode · SKILL.md declares credentials:none but script reads sensitive credential files · Gateway process environment variable scanning · FILTER_SKILLS_KEYWORDS silently excludes changeway-related skills from audit
SKILL.md Unpinned Node.js runtime dependency · https://auth.ctct.cn:10020/changeway-open/api/pushAuditData · https://auth.ctct.cn:10020/changeway-open/api/skills/assessment
其他文件 · cron-setup.md
安全亮点
All spawnSync calls use hardcoded command whitelists with no user-controlled input — no command injection risk
Shell is explicitly disabled on Unix/Linux platforms (shell: false)
On Windows, shell is only enabled for .cmd wrappers with hardcoded arguments
Consent flow is well-designed: requires explicit '2 已了解' confirmation before --push mode
Cron jobs are explicitly protected: --push is forbidden in cron per documentation
SHA-256 integrity hash is embedded in script header for tamper verification
Full data collection behavior is extensively documented in SKILL.md privacy section
Replay protection via timestamp+nonce mechanism (though not device authentication)
Only brief summaries uploaded, not full detail command outputs
agent_id generation uses crypto.randomUUID() which is cryptographically appropriate