homepage Security Report — Trusted | ClawSafe

10 /100

homepage

OpenClaw 主页插件 - 让访客在你的个人主页上与 AI 助手对话

This is a legitimate OpenClaw homepage plugin providing HTTP bridge services for AI chat. No malicious behavior detected - the hardcoded 'your-api-key' is a placeholder default, not a harvested credential.

Skill Namehomepage

Duration28.7s

Enginepi

✓

Safe to install

Skill is safe to use. Consider version-pinning dependencies for better supply chain hygiene.

Findings 2 items

Severity	Finding	Location
Low	Unpinned Python dependencies Supply Chain init.sh uses 'pip3 install fastapi uvicorn pyyaml requests pydantic -q' without version pinning. This could lead to unexpected behavior if major versions change. `pip3 install fastapi uvicorn pyyaml requests pydantic -q` → Use requirements.txt with pinned versions or add version constraints	`scripts/init.sh:45`
Info	Placeholder API key in config template Sensitive Access init.sh creates a config template with placeholder values 'your-api-key'. This is a false positive - it's a documented default for users to replace, not an exfiltrated credential. `api_key: "your-api-key"` → No action needed - this is the expected behavior for a config template	`scripts/init.sh:28`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:45 - creates ~/.openclaw/homepage/ and stores session data
Network	`READ`	`READ`	✓ Aligned	main.py:64-85 - WebSocket connection to configurable gateway URL
Shell	`WRITE`	`WRITE`	✓ Aligned	start.sh:29 - nohup python3 to run service

1 High 1 findings

🔑

High API Key 疑似硬编码凭证

api_key: "your-secure-api-key"

scripts/init.sh:28

File Tree

10 files · 12.1 KB · 494 lines

Shell 6f · 203L Python 1f · 146L Markdown 1f · 133L JSON 1f · 7L Text 1f · 5L

├─ ▾ 📁 scripts

│ ├─ 🔧 call_agent.sh Shell 15L · 318 B

│ ├─ 🔧 init.sh Shell 62L · 1.4 KB

│ ├─ 🔧 logs.sh Shell 12L · 285 B

│ ├─ 🐍 main.py Python 146L · 4.7 KB

│ ├─ 📄 requirements.txt Text 5L · 78 B

│ ├─ 🔧 start.sh Shell 48L · 1.2 KB

│ ├─ 🔧 stop.sh Shell 26L · 507 B

│ └─ 🔧 test.sh Shell 40L · 1.3 KB

├─ 📋 _meta.json JSON 7L · 218 B

└─ 📝 SKILL.md Markdown 133L · 2.2 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`fastapi`	`>=0.100.0`	pip	No	Lower bound only, not pinned to specific version
`uvicorn`	`>=0.23.0`	pip	No	Lower bound only, not pinned to specific version
`pyyaml`	`>=6.0`	pip	No	Lower bound only, not pinned to specific version
`requests`	`>=2.28.0`	pip	No	Lower bound only, not pinned to specific version
`pydantic`	`>=2.0.0`	pip	No	Lower bound only, not pinned to specific version

Security Positives

✓ Uses yaml.safe_load() for safe YAML parsing

✓ API key validation implemented in chat endpoint

✓ Session data stored locally, not exfiltrated

✓ Clear documentation matches implementation

✓ No base64 obfuscation or suspicious patterns

✓ WebSocket connection is to user-configurable local gateway

✓ No access to ~/.ssh, ~/.aws, or other sensitive credential paths

Scan Report

Findings 2 items

File Tree

Dependencies 5 items

Security Positives