SX-security-audit Security Report — Trusted | ClawSafe

5 /100

SX-security-audit

全方位安全审计技能 - Comprehensive security audit for OpenClaw: file permissions, environment variables, dependency vulnerabilities, config files, network ports, Git/Shell/macOS security, and secret key detection.

This is a legitimate, well-documented security audit tool that detects secrets, checks file permissions, scans dependencies, and audits Git/network/shell configurations. All capabilities are explicitly declared in SKILL.md and serve the stated purpose.

Skill NameSX-security-audit

Duration45.6s

Enginepi

✓

Safe to install

No action required. The skill is a genuine security auditing tool with comprehensive documentation and no hidden malicious functionality.

Findings 3 items

Severity	Finding	Location
Low	Reference file contains example secret patterns Doc Mismatch references/secrets-detection.md contains hardcoded example credentials (AKIAIOSFODNN7EXAMPLE, ghp_xxxxxxx, xoxb-123-456) as detection pattern examples. These are reference/documentation patterns, not actual secrets used by the tool. `AKIAIOSFODNN7EXAMPLE` → These are standard AWS documentation example keys (intentionally non-functional). No action needed; consider adding a comment clarifying these are examples.	`references/secrets-detection.md:11`
Low	Network WRITE capability not declared in SKILL.md Doc Mismatch SKILL.md declares network capability for port scanning but does not mention that send_report_to_feishu.py makes outbound POST requests to a webhook URL to deliver audit reports. `urllib.request.urlopen(req, timeout=10)` → Add '飞书报告' webhook POST to SKILL.md declared capabilities.	`scripts/send_report_to_feishu.py:85`
Info	No pinned dependency versions Supply Chain The skill uses npm, subprocess, and urllib.request but has no requirements.txt or package.json. All dependencies rely on system-installed packages. `import subprocess, urllib.request` → This is acceptable as the skill uses only Python standard library and system tools (npm, git, lsof).	`scripts/security_audit.py:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md describes file permission checks; scripts only read sensitive paths
Network	`READ`	`WRITE`	✓ Aligned	scripts/send_report_to_feishu.py:85 - POST to webhook URL for report delivery; n…
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md states subprocess usage for npm audit, git, lsof; security_audit.py use…
Environment	`READ`	`READ`	✓ Aligned	SKILL.md env check module; security_audit.py:336 iterates os.environ for API key…
Skill Invoke	`NONE`	`NONE`	—	No skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

3 Critical 1 High 12 findings

🔑

Critical API Key 硬编码 API 密钥

AKIAIOSFODNN7EXAMPLE

references/secrets-detection.md:11

🔑

Critical API Key 硬编码 API 密钥

ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

references/secrets-detection.md:12

🔑

Critical API Key 硬编码 API 密钥

xoxb-123-456

references/secrets-detection.md:14

🔑

High API Key 疑似硬编码凭证

API_KEY = "your-api-key-here"

references/secrets-detection.md:109

🔗

Medium External URL 外部 URL

https://api.example.com

references/code-security.md:315

🔗

Medium External URL 外部 URL

https://owasp.org/www-project-top-ten/

references/code-security.md:326

🔗

Medium External URL 外部 URL

https://cwe.mitre.org/top25/

references/code-security.md:327

🔗

Medium External URL 外部 URL

https://www.sans.org/top25-software-errors/

references/code-security.md:328

🔗

Medium External URL 外部 URL

https://nodejs.org/en/docs/guides/security

references/code-security.md:329

🔗

Medium External URL 外部 URL

https://python.readthedocs.io/en/latest/security/index.html

references/code-security.md:330

🔗

Medium External URL 外部 URL

https://npm.example.com

references/dependency-audit.md:164

🔗

Medium External URL 外部 URL

https://cve.mitre.org/

references/dependency-audit.md:212

File Tree

7 files · 85.0 KB · 2794 lines

Python 2f · 1777L Markdown 5f · 1017L

├─ ▾ 📁 references

│ ├─ 📝 code-security.md Markdown 341L · 7.7 KB

│ ├─ 📝 dependency-audit.md Markdown 254L · 4.9 KB

│ ├─ 📝 permissions.md Markdown 48L · 1.5 KB

│ └─ 🔑 secrets-detection.md ⚠ Markdown 188L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 security_audit.py Python 1335L · 47.6 KB

│ └─ 🐍 send_report_to_feishu.py Python 442L · 13.3 KB

└─ 📝 SKILL.md Markdown 186L · 5.5 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`Python standard library (subprocess, urllib.request, json, re, math)`	`N/A`	stdlib	No	Only standard library + system tools (npm, git, lsof) used; no external packages
`npm`	`system`	system	No	Used only for npm audit --json on workspace dependencies
`git`	`system`	system	No	Used only for git config and git log inspection
`lsof`	`system`	system	No	Used only for network port enumeration

Security Positives

✓ SKILL.md is comprehensive and explicitly documents all major capabilities

✓ Subprocess calls are restricted to legitimate security audit tools (npm audit, git, lsof, platform-specific security commands)

✓ No arbitrary shell command execution - only controlled, documented commands

✓ No obfuscation (base64, eval tricks, or anti-analysis techniques)

✓ No credential exfiltration - environment variables are only read to detect secrets, not sent anywhere

✓ No persistence mechanisms (no cron, startup hooks, or backdoors)

✓ High-entropy detection uses Shannon entropy algorithm, a standard technique

✓ Sensitive path access (~/.ssh, ~/.aws) is read-only for permission checking

✓ Feishu webhook only receives generated audit reports, not attacker commands

✓ Code includes proper error handling (try/except) and timeout controls on subprocess calls

✓ No prompt injection or LLM manipulation techniques detected

Scan Report

Findings 3 items

File Tree

Dependencies 4 items

Security Positives