openclaw-security-patrol 安全扫描报告 — 可疑 | ClawSafe

38 /100

openclaw-security-patrol

OpenClaw multi-mode security audit tool with optional threat intelligence reporting to auth.ctct.cn

OpenClaw security audit skill performs legitimate security scanning but collects extensive device fingerprinting data (MAC, hostname, persistent agent_id, full skill inventory) and transmits it to auth.ctct.cn under --push mode, with persistent tracking across sessions despite well-documented consent flows.

技能名称openclaw-security-patrol

分析耗时60.0s

引擎pi

⚠

谨慎使用

Review the data collection scope carefully before consenting to --push mode. The persistent agent_id enables long-term device fingerprinting. Consider using local-only mode for privacy-sensitive environments.

安全发现 5 项

严重性	安全发现	位置
中危	Extensive device fingerprinting under --push mode 数据外泄 When --push is enabled, the skill transmits MAC address, hostname, persistent agent_id, and the complete installed skill inventory (with owner IDs and versions) to auth.ctct.cn. The skill list reveals all installed tools on the machine. The agent_id is a permanent, stable identifier enabling long-term device tracking across multiple manual --push invocations. `const pushObj = { report_time, status, red_item, agent_id, data: JSON_DATA.map(({ item, brief }) => ({ item, brief })) };` → Ensure users fully understand the long-term fingerprinting implications before consenting to --push. The agent_id provides server-side device history tracking.	`scripts/openclaw-hybrid-audit-changeway.js:1160`
中危	SKILL.md declares credentials:none but script reads sensitive credential files 文档欺骗 The skill metadata declares 'credentials: none', yet the config baseline generation function reads /etc/shadow, ~/.ssh/authorized_keys, and /etc/passwd to generate file hashes. While this is used only for integrity baseline comparison (not exfiltration), it constitutes reading sensitive system credential files not declared in the credentials section. `configFiles.push('/etc/ssh/sshd_config', path.join(HOME, '.ssh/authorized_keys'), path.join(HOME, '.ssh/config'), '/etc/passwd', '/etc/shadow');` → Update credentials declaration or clarify that sensitive file access is limited to integrity baseline generation only.	`scripts/openclaw-hybrid-audit-changeway.js:285`
中危	Unpinned Node.js runtime dependency 供应链 SKILL.md specifies 'node>=18' without an upper bound. While Node.js LTS releases are generally stable, the absence of a maximum version constraint allows updates to potentially incompatible future versions. `runtime: "node>=18"` → Pin to a specific LTS version range (e.g., node@18 - 20) for reproducibility.	`SKILL.md:1`
低危	Gateway process environment variable scanning 敏感访问 On Linux, the script reads /proc/{gateway_pid}/environ to detect sensitive environment variable names (SECRET, TOKEN, PASSWORD, KEY, PRIVATE patterns). While it only reads names and redacts values, this is a form of process memory inspection not declared in the capability map. `const environData = fs.readFileSync(environPath, 'utf-8');` → Document this as environment:READ in the capability declaration.	`scripts/openclaw-hybrid-audit-changeway.js:395`
低危	FILTER_SKILLS_KEYWORDS silently excludes changeway-related skills from audit 文档欺骗 The script defines FILTER_SKILLS_KEYWORDS = ['changeway', 'ctct-security-patrol'] and applies this filter to the openclaw security audit output, causing these skills to be excluded from audit results. This self-serving filtering is not mentioned in SKILL.md. `let FILTER_SKILLS_KEYWORDS = ["changeway","ctct-security-patrol"];` → Document this filtering behavior or remove it to ensure transparent audit results.	`scripts/openclaw-hybrid-audit-changeway.js:308`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Local file writes to ~/.openclaw/
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: --push mode POSTs to auth.ctct.cn
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: 17 spawnSync calls to whitelist of read-only commands
环境变量	`NONE`	`READ`	✓ 一致	Reads /proc/PID/environ for gateway process sensitive variable names

2 项发现

🔗

中危外部 URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/pushAuditData

SKILL.md:32

🔗

中危外部 URL 外部 URL

https://auth.ctct.cn:10020/changeway-open/api/skills/assessment

SKILL.md:33

目录结构

3 文件 · 86.8 KB · 1973 行

JavaScript 1f · 1447L Markdown 2f · 526L

├─ ▾ 📁 references

│ └─ 📝 cron-setup.md Markdown 154L · 5.2 KB

├─ ▾ 📁 scripts

│ └─ 📜 openclaw-hybrid-audit-changeway.js JavaScript 1447L · 61.6 KB

└─ 📝 SKILL.md Markdown 372L · 20.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`node`	`>=18`	runtime	否	No upper version bound specified

安全亮点

✓ All spawnSync calls use hardcoded command whitelists with no user-controlled input — no command injection risk

✓ Shell is explicitly disabled on Unix/Linux platforms (shell: false)

✓ On Windows, shell is only enabled for .cmd wrappers with hardcoded arguments

✓ Consent flow is well-designed: requires explicit '2 已了解' confirmation before --push mode

✓ Cron jobs are explicitly protected: --push is forbidden in cron per documentation

✓ SHA-256 integrity hash is embedded in script header for tamper verification

✓ Full data collection behavior is extensively documented in SKILL.md privacy section

✓ Replay protection via timestamp+nonce mechanism (though not device authentication)

✓ Only brief summaries uploaded, not full detail command outputs

✓ agent_id generation uses crypto.randomUUID() which is cryptographically appropriate