claw-ops-manager Security Report — High Risk | ClawSafe

72 /100

claw-ops-manager

OpenClaw operations management center with audit logging, snapshots, and rollback

The skill executes arbitrary shell commands via subprocess without explicit declaration, monitors and snapshots sensitive credential paths (~/.ssh, /etc/ssh) without stated justification, and includes documentation examples of destructive commands.

Skill Nameclaw-ops-manager

Duration82.0s

Enginepi

⛔

Do not install this skill

Do not deploy without major security rework. The skill requires explicit shell:WRITE permission declaration, removal of sensitive paths from auto-snapshot configuration, and clear documentation explaining why credential directories are monitored.

Findings 5 items

Severity	Finding	Location
High	Undeclared Shell Command Execution Priv Escalation The skill executes arbitrary shell commands passed to audited_exec() via subprocess.run(command, shell=True) without declaring shell execution as a capability in SKILL.md `subprocess.run(command, shell=True, capture_output=True, text=True)` → Declare shell:WRITE capability explicitly in SKILL.md or remove shell execution and only log operations	`scripts/audited_ops.py:240`
High	Sensitive Credential Paths in Auto-Snapshot Sensitive Access ~/.ssh and /etc/ssh are included in auto_snapshot_paths list (lines 36-38) which means all SSH keys and configs are automatically copied to snapshot directory on every operation `str(Path.home() / ".ssh"), "/etc/ssh", "/etc/sudoers.d"` → Remove sensitive paths from auto_snapshot_paths unless explicitly required and documented. Snapshots of credential directories create data exposure risk.	`scripts/audited_ops.py:36`
High	Sensitive Paths in Default Protected Paths Sensitive Access ~/.ssh and /etc/ssh appear in protected_paths default configuration (scripts/init.py:114) and file monitor (scripts/monitor.py:89-91) `"~/.ssh"` → Provide clear justification for why SSH directories need monitoring, or remove from default configuration	`scripts/init.py:114`
Medium	Shell Eval Usage in Wrapper RCE audit_wrapper.sh uses 'eval $command' which has security implications when handling untrusted input `eval "$command"` → Replace eval with safer subprocess execution methods with proper argument separation	`scripts/audit_wrapper.sh:55`
Medium	Dangerous Command Examples in Documentation Doc Mismatch COMPLETED_v2.md:10 and MARKETING.md:45 contain 'rm -rf ~' and 'rm -rf /' as documentation examples showing how the skill logs commands `rm -rf ~/Desktop/截图` → Use less destructive commands for documentation examples	`COMPLETED_v2.md:10`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	scripts/audited_ops.py:240 - subprocess.run(command, shell=True)
Filesystem	`READ`	`WRITE`	✗ Violation	scripts/audited_ops.py:262-270 - writes files for snapshots
Environment	`NONE`	`READ`	✗ Violation	scripts/audited_ops.py:28 - os.environ.get('USER'), scripts/auto_audit.py:26 - o…

2 Critical 7 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf ~

COMPLETED_v2.md:10

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

MARKETING.md:45

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-v2.0.0-667eea?style=for-the-badge

MARKETING.md:97

🔗

Medium External URL 外部 URL

https://clawhub.com/package/claw-ops-manager

MARKETING.md:97

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-v2.0.0-667eea

OPTIMIZED_METADATA.md:101

🔗

Medium External URL 外部 URL

https://cdn.plot.ly/plotly-latest.min.js

assets/templates/dashboard.html:7

📧

Info Email 邮箱地址

[email protected]

scripts/snapshot.py:37

File Tree

27 files · 333.4 KB · 10830 lines

Python 13f · 7147L HTML 3f · 1777L Markdown 7f · 1461L Shell 2f · 258L JSON 2f · 187L

├─ ▾ 📁 assets

│ └─ ▾ 📁 templates

│ ├─ 📄 dashboard_v2.html HTML 582L · 17.5 KB

│ ├─ 📄 dashboard_v3.html HTML 742L · 25.0 KB

│ └─ 📄 dashboard.html HTML 453L · 12.8 KB

├─ ▾ 📁 references

│ └─ 📝 api.md Markdown 175L · 4.0 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 audit_wrapper.sh Shell 102L · 2.2 KB

│ ├─ 🐍 audited_ops.py Python 303L · 8.9 KB

│ ├─ 🐍 auto_audit.py Python 200L · 5.5 KB

│ ├─ 🐍 describer.py Python 261L · 9.9 KB

│ ├─ 🐍 init.py Python 175L · 5.4 KB

│ ├─ 🐍 logger.py Python 263L · 7.4 KB

│ ├─ 🐍 monitor.py Python 123L · 3.4 KB

│ ├─ 🐍 rollback.py Python 284L · 8.7 KB

│ ├─ 🐍 server_full.py Python 1507L · 47.8 KB

│ ├─ 🐍 server_simple.py Python 232L · 9.2 KB

│ ├─ 🐍 server_v2.py Python 1531L · 48.7 KB

│ ├─ 🐍 server_v3.py Python 1578L · 50.7 KB

│ ├─ 🐍 server.py Python 284L · 7.2 KB

│ ├─ 🔧 setup_auto_audit.sh Shell 156L · 4.1 KB

│ └─ 🐍 snapshot.py Python 406L · 13.4 KB

├─ ▾ 📁 translations

│ └─ 📋 operations.json JSON 182L · 7.5 KB

├─ 📋 _meta.json JSON 5L · 135 B

├─ 📝 COMPLETED_v2.md Markdown 241L · 5.3 KB

├─ 📝 INTEGRATION.md Markdown 125L · 2.7 KB

├─ 📝 MARKETING.md Markdown 236L · 8.0 KB

├─ 📝 OPTIMIZED_METADATA.md Markdown 171L · 5.9 KB

├─ 📝 SKILL.md Markdown 322L · 8.2 KB

└─ 📝 USAGE_v2.md Markdown 191L · 3.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`flask`	`not specified`	pip	No	Listed in SKILL.md dependencies but not pinned
`watchdog`	`not specified`	pip	No	Listed in SKILL.md dependencies but not pinned
`plotly`	`not specified`	pip	No	Listed in SKILL.md dependencies but not pinned

Security Positives

✓ No credential harvesting or exfiltration code detected

✓ No network exfiltration to external servers

✓ No base64 encoding or obfuscated malicious code

✓ No reverse shell or C2 communication patterns

✓ No hidden HTML comments with malicious instructions

✓ Includes permission checking before operations

✓ Database uses SQLite with proper schema design

✓ Supports dry-run mode for rollback operations

Scan Report

Findings 5 items

File Tree

Dependencies 3 items

Security Positives