安全决策报告
claw-ops-manager
The skill executes arbitrary shell commands via subprocess without explicit declaration, monitors and snapshots sensitive credential paths (~/.ssh, /etc/ssh) without stated justification, and includes documentation examples of destructive commands.
最直接的威胁证据
高危 权限提升
Undeclared Shell Command Execution The skill executes arbitrary shell commands passed to audited_exec() via subprocess.run(command, shell=True) without declaring shell execution as a capability in SKILL.md
scripts/audited_ops.py:240 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 2 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 3 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared shell execution capability +25
SKILL.md describes audit/logging functionality but the actual implementation executes arbitrary commands via subprocess.run(command, shell=True) without mentioning this in core capabilities
Sensitive path monitoring without justification +20
~/.ssh and /etc/ssh are in auto_snapshot_paths (scripts/audited_ops.py:36-37) and protected_paths (scripts/init.py:114, scripts/monitor.py:91) without clear explanation of why credential directories need auditing
Shell eval execution +15
scripts/audit_wrapper.sh:55 uses 'eval $command' to execute user-provided shell commands
Dangerous command examples in docs +12
COMPLETED_v2.md:10 contains 'rm -rf ~' and MARKETING.md:45 contains 'rm -rf /' as documentation examples showing how the skill describes commands
最关键的证据
高危 权限提升
Undeclared Shell Command Execution
The skill executes arbitrary shell commands passed to audited_exec() via subprocess.run(command, shell=True) without declaring shell execution as a capability in SKILL.md
scripts/audited_ops.py:240 Declare shell:WRITE capability explicitly in SKILL.md or remove shell execution and only log operations
高危 敏感访问
Sensitive Credential Paths in Auto-Snapshot
~/.ssh and /etc/ssh are included in auto_snapshot_paths list (lines 36-38) which means all SSH keys and configs are automatically copied to snapshot directory on every operation
scripts/audited_ops.py:36 Remove sensitive paths from auto_snapshot_paths unless explicitly required and documented. Snapshots of credential directories create data exposure risk.
高危 敏感访问
Sensitive Paths in Default Protected Paths
~/.ssh and /etc/ssh appear in protected_paths default configuration (scripts/init.py:114) and file monitor (scripts/monitor.py:89-91)
scripts/init.py:114 Provide clear justification for why SSH directories need monitoring, or remove from default configuration
中危 代码执行
Shell Eval Usage in Wrapper
audit_wrapper.sh uses 'eval $command' which has security implications when handling untrusted input
scripts/audit_wrapper.sh:55 Replace eval with safer subprocess execution methods with proper argument separation
中危 文档欺骗
Dangerous Command Examples in Documentation
COMPLETED_v2.md:10 and MARKETING.md:45 contain 'rm -rf ~' and 'rm -rf /' as documentation examples showing how the skill logs commands
COMPLETED_v2.md:10 Use less destructive commands for documentation examples
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/audited_ops.py:240 - subprocess.run(command, shell=True) 文件系统 阻止
声明 READ
→ 推断 WRITE
scripts/audited_ops.py:262-270 - writes files for snapshots 环境变量 阻止
声明 NONE
→ 推断 READ
scripts/audited_ops.py:28 - os.environ.get('USER'), scripts/auto_audit.py:26 - os.environ.get('OPENCLAW_SESSION') 可疑产物与外联
严重 危险命令
rm -rf ~ COMPLETED_v2.md:10
严重 危险命令
rm -rf / MARKETING.md:45
中危 外部 URL
https://img.shields.io/badge/ClawHub-v2.0.0-667eea?style=for-the-badge MARKETING.md:97
中危 外部 URL
https://clawhub.com/package/claw-ops-manager MARKETING.md:97
中危 外部 URL
https://img.shields.io/badge/ClawHub-v2.0.0-667eea OPTIMIZED_METADATA.md:101
中危 外部 URL
https://cdn.plot.ly/plotly-latest.min.js assets/templates/dashboard.html:7
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| flask | not specified | pip | 否 | Listed in SKILL.md dependencies but not pinned |
| watchdog | not specified | pip | 否 | Listed in SKILL.md dependencies but not pinned |
| plotly | not specified | pip | 否 | Listed in SKILL.md dependencies but not pinned |
文件构成
27 个文件 · 10830 行
Python 13 个文件 · 7147 行HTML 3 个文件 · 1777 行Markdown 7 个文件 · 1461 行Shell 2 个文件 · 258 行JSON 2 个文件 · 187 行
需关注文件 · 3
scripts/snapshot.py assets/templates/dashboard.html https://cdn.plot.ly/plotly-latest.min.js
scripts/audited_ops.py Undeclared Shell Command Execution · Sensitive Credential Paths in Auto-Snapshot
其他文件 · server_v3.py · server_v2.py · server_full.py · dashboard_v3.html · dashboard_v2.html · describer.py +3
安全亮点
No credential harvesting or exfiltration code detected
No network exfiltration to external servers
No base64 encoding or obfuscated malicious code
No reverse shell or C2 communication patterns
No hidden HTML comments with malicious instructions
Includes permission checking before operations
Database uses SQLite with proper schema design
Supports dry-run mode for rollback operations