pixel-agents 安全扫描报告 — 低风险 | ClawSafe

15 /100

pixel-agents

Real-time pixel art ops dashboard for OpenClaw deployments

Legitimate OpenClaw monitoring dashboard with documented shell execution for build/deploy and remote service management via SSH. No hidden malicious behavior detected.

技能名称pixel-agents

分析耗时49.0s

引擎pi

✓

可以安装

Accept for use. If remote agents use SSH password authentication, consider switching to key-based auth for better security.

安全发现 2 项

严重性	安全发现	位置
中危	Plaintext SSH passwords in remote agent config 凭证窃取 RemoteAgentConfig interface allows storing passwords in plaintext. While sshpass is a legitimate tool for remote service management, storing passwords in config files is a security risk. `password?: string` → Use SSH key-based authentication instead. If passwords are required, use environment variables or a secrets manager.	`server/configLoader.ts:26`
低危	execSync for systemctl commands 权限提升 The services.ts module uses execSync to run systemctl commands locally and via SSH. While this is necessary for the breaker panel feature, it provides arbitrary command execution capability. `execSync(cmd, { timeout: 10_000, encoding: 'utf-8' })` → This is documented behavior for the service management feature. Ensure only trusted users can access this functionality.	`server/services.ts:47`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Reads ~/.openclaw/agents and config files
网络访问	`READ`	`READ`	✓ 一致	Curl check to gateway URL
命令执行	`WRITE`	`WRITE`	✓ 一致	npm install/build, systemctl, sshpass/ssh
环境变量	`NONE`	`READ`	✓ 一致	Reads ENV_VAR placeholders in config
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No direct database access

10 项发现

🔗

中危外部 URL 外部 URL

https://openclaw.ai

README.md:3

🔗

中危外部 URL 外部 URL

https://opencollective.com/babel

package-lock.json:91

🔗

中危外部 URL 外部 URL

https://opencollective.com/express

package-lock.json:1425

🔗

中危外部 URL 外部 URL

https://opencollective.com/browserslist

package-lock.json:1436

🔗

中危外部 URL 外部 URL

https://tidelift.com/funding/github/npm/browserslist

package-lock.json:1440

🔗

中危外部 URL 外部 URL

https://tidelift.com/funding/github/npm/caniuse-lite

package-lock.json:1512

🔗

中危外部 URL 外部 URL

https://paulmillr.com/funding/

package-lock.json:1563

💰

中危钱包地址加密货币钱包地址

347pnakNevPmiHhNmZ2HbFA76w

package-lock.json:2257

🔗

中危外部 URL 外部 URL

https://opencollective.com/postcss/

package-lock.json:2378

🔗

中危外部 URL 外部 URL

https://tidelift.com/funding/github/npm/postcss

package-lock.json:2382

目录结构

81 文件 · 701.4 KB · 23240 行

TypeScript 66f · 16453L JSON 7f · 6129L Markdown 4f · 294L Shell 1f · 222L CSS 1f · 67L JavaScript 1f · 62L HTML 1f · 13L

├─ ▾ 📁 bin

│ └─ 📜 pixel-agents.cjs JavaScript 62L · 1.8 KB

├─ ▾ 📁 public

│ └─ ▾ 📁 assets

│ ├─ 📝 ASSET-LICENSE.md Markdown 29L · 1.3 KB

│ └─ 📋 default-layout.json JSON 2801L · 33.3 KB

├─ ▾ 📁 server

│ ├─ 📜 assetLoader.ts TypeScript 191L · 6.3 KB

│ ├─ 📜 config.ts TypeScript 108L · 3.6 KB

│ ├─ 📜 configLoader.ts TypeScript 292L · 9.0 KB

│ ├─ 📜 hardware.ts TypeScript 260L · 8.5 KB

│ ├─ 📜 index.ts TypeScript 397L · 11.3 KB

│ ├─ 📜 openclawParser.ts TypeScript 316L · 10.6 KB

│ ├─ 📜 services.ts TypeScript 130L · 3.9 KB

│ ├─ 📜 sessionWatcher.ts TypeScript 429L · 14.6 KB

│ ├─ 📜 setupWizard.ts TypeScript 514L · 16.1 KB

│ ├─ 📜 spawner.ts TypeScript 374L · 12.5 KB

│ └─ 📜 version.ts TypeScript 140L · 4.4 KB

├─ ▾ 📁 skill

│ ├─ ▾ 📁 scripts

│ │ └─ 🔧 setup.sh Shell 222L · 5.9 KB

│ └─ 📝 SKILL.md Markdown 58L · 2.0 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 components

│ │ ├─ 📜 ActivityBubble.tsx TypeScript 248L · 7.9 KB

│ │ ├─ 📜 ActivityTicker.tsx TypeScript 103L · 2.5 KB

│ │ ├─ 📜 AgentLabels.tsx TypeScript 171L · 5.7 KB

│ │ ├─ 📜 BottomToolbar.tsx TypeScript 142L · 4.0 KB

│ │ ├─ 📜 BreakerPanel.tsx TypeScript 226L · 6.5 KB

│ │ ├─ 📜 ConversationHeat.tsx TypeScript 175L · 5.4 KB

│ │ ├─ 📜 DayNightCycle.tsx TypeScript 110L · 3.2 KB

│ │ ├─ 📜 DebugView.tsx TypeScript 190L · 5.2 KB

│ │ ├─ 📜 FireAlarm.tsx TypeScript 191L · 5.3 KB

│ │ ├─ 📜 HamRadio.tsx TypeScript 335L · 11.0 KB

│ │ ├─ 📜 NickDesk.tsx TypeScript 158L · 4.4 KB

│ │ ├─ 📜 OfficeDoor.tsx TypeScript 189L · 6.0 KB

│ │ ├─ 📜 ServerRack.tsx TypeScript 269L · 7.8 KB

│ │ ├─ 📜 SessionInfoPanel.tsx TypeScript 164L · 5.0 KB

│ │ ├─ 📜 SettingsModal.tsx TypeScript 232L · 7.0 KB

│ │ ├─ 📜 SpawnButton.tsx TypeScript 433L · 14.7 KB

│ │ ├─ 📜 SpawnChat.tsx TypeScript 292L · 9.3 KB

│ │ └─ 📜 ZoomControls.tsx TypeScript 177L · 5.0 KB

│ ├─ ▾ 📁 hooks

│ │ ├─ 📜 useEditorActions.ts TypeScript 634L · 21.1 KB

│ │ ├─ 📜 useEditorKeyboard.ts TypeScript 74L · 2.3 KB

│ │ ├─ 📜 useExtensionMessages.ts TypeScript 406L · 15.2 KB

│ │ ├─ 📜 useOpenClawEvents.ts TypeScript 437L · 14.1 KB

│ │ └─ 📜 useSpawnedSessions.ts TypeScript 201L · 5.7 KB

│ ├─ ▾ 📁 office

│ │ ├─ ▾ 📁 components

│ │ │ ├─ 📜 index.ts TypeScript 2L · 98 B

│ │ │ ├─ 📜 OfficeCanvas.tsx TypeScript 885L · 31.4 KB

│ │ │ └─ 📜 ToolOverlay.tsx TypeScript 233L · 7.7 KB

│ │ ├─ ▾ 📁 editor

│ │ │ ├─ 📜 editorActions.ts TypeScript 268L · 8.7 KB

│ │ │ ├─ 📜 editorState.ts TypeScript 120L · 3.0 KB

│ │ │ ├─ 📜 EditorToolbar.tsx TypeScript 646L · 20.2 KB

│ │ │ └─ 📜 index.ts TypeScript 9L · 226 B

│ │ ├─ ▾ 📁 engine

│ │ │ ├─ 📜 characters.ts TypeScript 339L · 10.0 KB

│ │ │ ├─ 📜 gameLoop.ts TypeScript 35L · 856 B

│ │ │ ├─ 📜 index.ts TypeScript 19L · 535 B

│ │ │ ├─ 📜 matrixEffect.ts TypeScript 139L · 5.0 KB

│ │ │ ├─ 📜 officeState.ts TypeScript 700L · 23.8 KB

│ │ │ └─ 📜 renderer.ts TypeScript 669L · 19.6 KB

│ │ ├─ ▾ 📁 layout

│ │ │ ├─ 📜 furnitureCatalog.ts TypeScript 383L · 12.6 KB

│ │ │ ├─ 📜 index.ts TypeScript 18L · 495 B

│ │ │ ├─ 📜 layoutSerializer.ts TypeScript 375L · 12.6 KB

│ │ │ └─ 📜 tileMap.ts TypeScript 105L · 3.0 KB

│ │ ├─ ▾ 📁 sprites

│ │ │ ├─ 📜 index.ts TypeScript 13L · 325 B

│ │ │ ├─ 📜 spriteCache.ts TypeScript 77L · 2.3 KB

│ │ │ └─ 📜 spriteData.ts TypeScript 1122L · 50.6 KB

│ │ ├─ 📜 colorize.ts TypeScript 207L · 5.6 KB

│ │ ├─ 📜 floorTiles.ts TypeScript 74L · 2.8 KB

│ │ ├─ 📜 toolUtils.ts TypeScript 28L · 876 B

│ │ ├─ 📜 types.ts TypeScript 198L · 5.6 KB

│ │ └─ 📜 wallTiles.ts TypeScript 189L · 5.6 KB

│ ├─ 📜 apiBase.ts TypeScript 14L · 512 B

│ ├─ 📜 App.tsx TypeScript 553L · 17.1 KB

│ ├─ 📜 constants.ts TypeScript 113L · 5.8 KB

│ ├─ 📄 index.css CSS 67L · 1.6 KB

│ ├─ 📜 main.tsx TypeScript 12L · 237 B

│ ├─ 📜 notificationSound.ts TypeScript 168L · 4.9 KB

│ └─ 📜 vscodeApi.ts TypeScript 6L · 206 B

├─ 📋 dashboard.config.example.json JSON 84L · 3.0 KB

├─ 📄 index.html HTML 13L · 389 B

├─ 📋 package-lock.json JSON 3118L · 104.5 KB

├─ 📋 package.json JSON 65L · 1.5 KB

├─ 📝 README.md Markdown 165L · 5.9 KB

├─ 📝 SKILL.md Markdown 42L · 1.3 KB

├─ 📋 tsconfig.app.json JSON 28L · 732 B

├─ 📋 tsconfig.json JSON 7L · 119 B

├─ 📋 tsconfig.node.json JSON 26L · 653 B

└─ 📜 vite.config.ts TypeScript 26L · 478 B

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`express`	`^5.1.0`	npm	否	Acceptable stability risk
`react`	`^19.2.0`	npm	否	Latest major version
`ws`	`^8.18.0`	npm	否	Well-maintained websocket library
`tsx`	`^4.19.0`	npm	否	TypeScript execution
`chokidar`	`^4.0.0`	npm	否	File watching

安全亮点

✓ No base64-encoded payloads or obfuscated code found

✓ No data exfiltration or C2 communication patterns detected

✓ No credential harvesting beyond documented remote agent SSH access

✓ No suspicious network connections to unknown IPs

✓ No reverse shell, RCE, or malicious payload delivery

✓ Dependencies are well-known, mainstream packages

✓ SSH commands are scoped to systemctl for specific services only

✓ Config supports environment variable substitution for secrets

✓ No hidden functionality in HTML comments or other concealment