中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
pixel-agents
Real-time pixel art ops dashboard for OpenClaw deployments
Legitimate OpenClaw monitoring dashboard with documented shell execution for build/deploy and remote service management via SSH. No hidden malicious behavior detected.
Skill Namepixel-agents
Duration49.0s
Enginepi
Safe to install
Accept for use. If remote agents use SSH password authentication, consider switching to key-based auth for better security.

Findings 2 items

Severity Finding Location
Medium
Plaintext SSH passwords in remote agent config Credential Theft
RemoteAgentConfig interface allows storing passwords in plaintext. While sshpass is a legitimate tool for remote service management, storing passwords in config files is a security risk.
password?: string
→ Use SSH key-based authentication instead. If passwords are required, use environment variables or a secrets manager.
 server/configLoader.ts:26
Low
execSync for systemctl commands Priv Escalation
The services.ts module uses execSync to run systemctl commands locally and via SSH. While this is necessary for the breaker panel feature, it provides arbitrary command execution capability.
execSync(cmd, { timeout: 10_000, encoding: 'utf-8' })
→ This is documented behavior for the service management feature. Ensure only trusted users can access this functionality.
 server/services.ts:47
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned Reads ~/.openclaw/agents and config files
Network READ READ ✓ Aligned Curl check to gateway URL
Shell WRITE WRITE ✓ Aligned npm install/build, systemctl, sshpass/ssh
Environment NONE READ ✓ Aligned Reads ENV_VAR placeholders in config
Skill Invoke NONE NONE No skill invocation detected
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No direct database access
10 findings
🔗
Medium External URL 外部 URL
https://openclaw.ai
README.md:3
🔗
Medium External URL 外部 URL
https://opencollective.com/babel
package-lock.json:91
🔗
Medium External URL 外部 URL
https://opencollective.com/express
package-lock.json:1425
🔗
Medium External URL 外部 URL
https://opencollective.com/browserslist
package-lock.json:1436
🔗
Medium External URL 外部 URL
https://tidelift.com/funding/github/npm/browserslist
package-lock.json:1440
🔗
Medium External URL 外部 URL
https://tidelift.com/funding/github/npm/caniuse-lite
package-lock.json:1512
🔗
Medium External URL 外部 URL
https://paulmillr.com/funding/
package-lock.json:1563
💰
Medium Wallet Address 加密货币钱包地址
347pnakNevPmiHhNmZ2HbFA76w
package-lock.json:2257
🔗
Medium External URL 外部 URL
https://opencollective.com/postcss/
package-lock.json:2378
🔗
Medium External URL 外部 URL
https://tidelift.com/funding/github/npm/postcss
package-lock.json:2382

File Tree

81 files · 701.4 KB · 23240 lines
TypeScript 66f · 16453L JSON 7f · 6129L Markdown 4f · 294L Shell 1f · 222L CSS 1f · 67L JavaScript 1f · 62L HTML 1f · 13L
├─ 📁 bin
│ └─ 📜 pixel-agents.cjs JavaScript 62L · 1.8 KB
├─ 📁 public
│ └─ 📁 assets
│ ├─ 📝 ASSET-LICENSE.md Markdown 29L · 1.3 KB
│ └─ 📋 default-layout.json JSON 2801L · 33.3 KB
├─ 📁 server
│ ├─ 📜 assetLoader.ts TypeScript 191L · 6.3 KB
│ ├─ 📜 config.ts TypeScript 108L · 3.6 KB
│ ├─ 📜 configLoader.ts TypeScript 292L · 9.0 KB
│ ├─ 📜 hardware.ts TypeScript 260L · 8.5 KB
│ ├─ 📜 index.ts TypeScript 397L · 11.3 KB
│ ├─ 📜 openclawParser.ts TypeScript 316L · 10.6 KB
│ ├─ 📜 services.ts TypeScript 130L · 3.9 KB
│ ├─ 📜 sessionWatcher.ts TypeScript 429L · 14.6 KB
│ ├─ 📜 setupWizard.ts TypeScript 514L · 16.1 KB
│ ├─ 📜 spawner.ts TypeScript 374L · 12.5 KB
│ └─ 📜 version.ts TypeScript 140L · 4.4 KB
├─ 📁 skill
│ ├─ 📁 scripts
│ │ └─ 🔧 setup.sh Shell 222L · 5.9 KB
│ └─ 📝 SKILL.md Markdown 58L · 2.0 KB
├─ 📁 src
│ ├─ 📁 components
│ │ ├─ 📜 ActivityBubble.tsx TypeScript 248L · 7.9 KB
│ │ ├─ 📜 ActivityTicker.tsx TypeScript 103L · 2.5 KB
│ │ ├─ 📜 AgentLabels.tsx TypeScript 171L · 5.7 KB
│ │ ├─ 📜 BottomToolbar.tsx TypeScript 142L · 4.0 KB
│ │ ├─ 📜 BreakerPanel.tsx TypeScript 226L · 6.5 KB
│ │ ├─ 📜 ConversationHeat.tsx TypeScript 175L · 5.4 KB
│ │ ├─ 📜 DayNightCycle.tsx TypeScript 110L · 3.2 KB
│ │ ├─ 📜 DebugView.tsx TypeScript 190L · 5.2 KB
│ │ ├─ 📜 FireAlarm.tsx TypeScript 191L · 5.3 KB
│ │ ├─ 📜 HamRadio.tsx TypeScript 335L · 11.0 KB
│ │ ├─ 📜 NickDesk.tsx TypeScript 158L · 4.4 KB
│ │ ├─ 📜 OfficeDoor.tsx TypeScript 189L · 6.0 KB
│ │ ├─ 📜 ServerRack.tsx TypeScript 269L · 7.8 KB
│ │ ├─ 📜 SessionInfoPanel.tsx TypeScript 164L · 5.0 KB
│ │ ├─ 📜 SettingsModal.tsx TypeScript 232L · 7.0 KB
│ │ ├─ 📜 SpawnButton.tsx TypeScript 433L · 14.7 KB
│ │ ├─ 📜 SpawnChat.tsx TypeScript 292L · 9.3 KB
│ │ └─ 📜 ZoomControls.tsx TypeScript 177L · 5.0 KB
│ ├─ 📁 hooks
│ │ ├─ 📜 useEditorActions.ts TypeScript 634L · 21.1 KB
│ │ ├─ 📜 useEditorKeyboard.ts TypeScript 74L · 2.3 KB
│ │ ├─ 📜 useExtensionMessages.ts TypeScript 406L · 15.2 KB
│ │ ├─ 📜 useOpenClawEvents.ts TypeScript 437L · 14.1 KB
│ │ └─ 📜 useSpawnedSessions.ts TypeScript 201L · 5.7 KB
│ ├─ 📁 office
│ │ ├─ 📁 components
│ │ │ ├─ 📜 index.ts TypeScript 2L · 98 B
│ │ │ ├─ 📜 OfficeCanvas.tsx TypeScript 885L · 31.4 KB
│ │ │ └─ 📜 ToolOverlay.tsx TypeScript 233L · 7.7 KB
│ │ ├─ 📁 editor
│ │ │ ├─ 📜 editorActions.ts TypeScript 268L · 8.7 KB
│ │ │ ├─ 📜 editorState.ts TypeScript 120L · 3.0 KB
│ │ │ ├─ 📜 EditorToolbar.tsx TypeScript 646L · 20.2 KB
│ │ │ └─ 📜 index.ts TypeScript 9L · 226 B
│ │ ├─ 📁 engine
│ │ │ ├─ 📜 characters.ts TypeScript 339L · 10.0 KB
│ │ │ ├─ 📜 gameLoop.ts TypeScript 35L · 856 B
│ │ │ ├─ 📜 index.ts TypeScript 19L · 535 B
│ │ │ ├─ 📜 matrixEffect.ts TypeScript 139L · 5.0 KB
│ │ │ ├─ 📜 officeState.ts TypeScript 700L · 23.8 KB
│ │ │ └─ 📜 renderer.ts TypeScript 669L · 19.6 KB
│ │ ├─ 📁 layout
│ │ │ ├─ 📜 furnitureCatalog.ts TypeScript 383L · 12.6 KB
│ │ │ ├─ 📜 index.ts TypeScript 18L · 495 B
│ │ │ ├─ 📜 layoutSerializer.ts TypeScript 375L · 12.6 KB
│ │ │ └─ 📜 tileMap.ts TypeScript 105L · 3.0 KB
│ │ ├─ 📁 sprites
│ │ │ ├─ 📜 index.ts TypeScript 13L · 325 B
│ │ │ ├─ 📜 spriteCache.ts TypeScript 77L · 2.3 KB
│ │ │ └─ 📜 spriteData.ts TypeScript 1122L · 50.6 KB
│ │ ├─ 📜 colorize.ts TypeScript 207L · 5.6 KB
│ │ ├─ 📜 floorTiles.ts TypeScript 74L · 2.8 KB
│ │ ├─ 📜 toolUtils.ts TypeScript 28L · 876 B
│ │ ├─ 📜 types.ts TypeScript 198L · 5.6 KB
│ │ └─ 📜 wallTiles.ts TypeScript 189L · 5.6 KB
│ ├─ 📜 apiBase.ts TypeScript 14L · 512 B
│ ├─ 📜 App.tsx TypeScript 553L · 17.1 KB
│ ├─ 📜 constants.ts TypeScript 113L · 5.8 KB
│ ├─ 📄 index.css CSS 67L · 1.6 KB
│ ├─ 📜 main.tsx TypeScript 12L · 237 B
│ ├─ 📜 notificationSound.ts TypeScript 168L · 4.9 KB
│ └─ 📜 vscodeApi.ts TypeScript 6L · 206 B
├─ 📋 dashboard.config.example.json JSON 84L · 3.0 KB
├─ 📄 index.html HTML 13L · 389 B
├─ 📋 package-lock.json JSON 3118L · 104.5 KB
├─ 📋 package.json JSON 65L · 1.5 KB
├─ 📝 README.md Markdown 165L · 5.9 KB
├─ 📝 SKILL.md Markdown 42L · 1.3 KB
├─ 📋 tsconfig.app.json JSON 28L · 732 B
├─ 📋 tsconfig.json JSON 7L · 119 B
├─ 📋 tsconfig.node.json JSON 26L · 653 B
└─ 📜 vite.config.ts TypeScript 26L · 478 B

Dependencies 5 items

PackageVersionSourceKnown VulnsNotes
express ^5.1.0 npm No Acceptable stability risk
react ^19.2.0 npm No Latest major version
ws ^8.18.0 npm No Well-maintained websocket library
tsx ^4.19.0 npm No TypeScript execution
chokidar ^4.0.0 npm No File watching

Security Positives

✓ No base64-encoded payloads or obfuscated code found
✓ No data exfiltration or C2 communication patterns detected
✓ No credential harvesting beyond documented remote agent SSH access
✓ No suspicious network connections to unknown IPs
✓ No reverse shell, RCE, or malicious payload delivery
✓ Dependencies are well-known, mainstream packages
✓ SSH commands are scoped to systemctl for specific services only
✓ Config supports environment variable substitution for secrets
✓ No hidden functionality in HTML comments or other concealment