homepage 安全扫描报告 — 可信 | ClawSafe

10 /100

homepage

OpenClaw 主页插件 - 让访客在你的个人主页上与 AI 助手对话

This is a legitimate OpenClaw homepage plugin providing HTTP bridge services for AI chat. No malicious behavior detected - the hardcoded 'your-api-key' is a placeholder default, not a harvested credential.

技能名称homepage

分析耗时28.7s

引擎pi

✓

可以安装

Skill is safe to use. Consider version-pinning dependencies for better supply chain hygiene.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned Python dependencies 供应链 init.sh uses 'pip3 install fastapi uvicorn pyyaml requests pydantic -q' without version pinning. This could lead to unexpected behavior if major versions change. `pip3 install fastapi uvicorn pyyaml requests pydantic -q` → Use requirements.txt with pinned versions or add version constraints	`scripts/init.sh:45`
提示	Placeholder API key in config template 敏感访问 init.sh creates a config template with placeholder values 'your-api-key'. This is a false positive - it's a documented default for users to replace, not an exfiltrated credential. `api_key: "your-api-key"` → No action needed - this is the expected behavior for a config template	`scripts/init.sh:28`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md:45 - creates ~/.openclaw/homepage/ and stores session data
网络访问	`READ`	`READ`	✓ 一致	main.py:64-85 - WebSocket connection to configurable gateway URL
命令执行	`WRITE`	`WRITE`	✓ 一致	start.sh:29 - nohup python3 to run service

1 高危 1 项发现

🔑

高危 API 密钥疑似硬编码凭证

api_key: "your-secure-api-key"

scripts/init.sh:28

目录结构

10 文件 · 12.1 KB · 494 行

Shell 6f · 203L Python 1f · 146L Markdown 1f · 133L JSON 1f · 7L Text 1f · 5L

├─ ▾ 📁 scripts

│ ├─ 🔧 call_agent.sh Shell 15L · 318 B

│ ├─ 🔧 init.sh Shell 62L · 1.4 KB

│ ├─ 🔧 logs.sh Shell 12L · 285 B

│ ├─ 🐍 main.py Python 146L · 4.7 KB

│ ├─ 📄 requirements.txt Text 5L · 78 B

│ ├─ 🔧 start.sh Shell 48L · 1.2 KB

│ ├─ 🔧 stop.sh Shell 26L · 507 B

│ └─ 🔧 test.sh Shell 40L · 1.3 KB

├─ 📋 _meta.json JSON 7L · 218 B

└─ 📝 SKILL.md Markdown 133L · 2.2 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`fastapi`	`>=0.100.0`	pip	否	Lower bound only, not pinned to specific version
`uvicorn`	`>=0.23.0`	pip	否	Lower bound only, not pinned to specific version
`pyyaml`	`>=6.0`	pip	否	Lower bound only, not pinned to specific version
`requests`	`>=2.28.0`	pip	否	Lower bound only, not pinned to specific version
`pydantic`	`>=2.0.0`	pip	否	Lower bound only, not pinned to specific version

安全亮点

✓ Uses yaml.safe_load() for safe YAML parsing

✓ API key validation implemented in chat endpoint

✓ Session data stored locally, not exfiltrated

✓ Clear documentation matches implementation

✓ No base64 obfuscation or suspicious patterns

✓ WebSocket connection is to user-configurable local gateway

✓ No access to ~/.ssh, ~/.aws, or other sensitive credential paths