中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Low Risk — Risk Score 15/100
Last scan:2 hr ago Rescan
15 /100
openclaw-growth-engineer
OpenClaw-first growth autopilot for mobile apps. Correlate analytics, crashes, billing, feedback, store signals into GitHub issues or draft PRs.
合法的增长工程工具,通过 GitHub API 分析移动应用数据并生成 issues/PRs。shell 执行虽未在 SKILL.md 明确声明,但用于运行 analyticscli、git 等合法命令,属正常功能需求。
Skill Nameopenclaw-growth-engineer
Duration52.4s
Enginepi
ClawHub Openclaw Growth Engineer v1.0.2 by wotaso-dev
📥 98 📦 1
ClawHub Verdict Suspicious dangerous_execenv_credential_accessllm_suspiciouspotential_exfiltrationvt_suspicious
Safe to install
批准使用。建议在 SKILL.md Startup Protocol 中补充说明 shell 执行能力。考虑锁定 matplotlib 版本以减少供应链风险。

Findings 2 items

Severity Finding Location
Medium
matplotlib 依赖无版本锁定 Supply Chain
scripts/openclaw-growth-charts.py 使用 matplotlib 但 requirements.txt 中未锁定版本,可能引入恶意版本
import matplotlib.pyplot as plt
→ 在项目根目录添加 requirements.txt 并锁定 matplotlib>=3.5.0
 scripts/openclaw-growth-charts.py:33
Low
shell执行能力未在文档声明 Doc Mismatch
SKILL.md 未说明脚本会通过 spawn(zsh) 执行 shell 命令,虽然用于 analyticscli/git 等合法工具
Startup Protocol 部分只列出命令调用,未说明底层使用 /bin/zsh 执行
→ 在 Startup Protocol 中补充说明使用 shell 执行 analyticscli CLI
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Shell NONE WRITE ✗ Violation scripts/openclaw-growth-start.mjs:86 spawn('/bin/zsh', ['-lc', command])
Network READ READ ✓ Aligned scripts/openclaw-growth-preflight.mjs:246-284 API调用
Filesystem NONE WRITE ✗ Violation scripts/openclaw-growth-runner.mjs:147 fs.writeFile写入data目录
Environment NONE READ ✗ Violation process.env.GITHUB_TOKEN读取
2 findings
🔗
Medium External URL 外部 URL
https://api.revenuecat.com/v2/projects?limit=1
scripts/openclaw-growth-preflight.mjs:246
🔗
Medium External URL 外部 URL
https://sentry.io/api/0/organizations/
scripts/openclaw-growth-preflight.mjs:284

File Tree

24 files · 168.2 KB · 5569 lines
JavaScript 10f · 4611L Markdown 7f · 558L JSON 5f · 201L Python 1f · 154L Shell 1f · 45L
├─ 📁 data
│ └─ 📁 openclaw-growth-engineer
│ ├─ 📋 analytics_summary.example.json JSON 40L · 1.2 KB
│ ├─ 📋 config.example.json JSON 76L · 2.0 KB
│ ├─ 📋 feedback_summary.example.json JSON 37L · 1.2 KB
│ ├─ 📋 revenuecat_summary.example.json JSON 25L · 754 B
│ └─ 📋 sentry_summary.example.json JSON 23L · 709 B
├─ 📁 references
│ ├─ 📝 advanced-setup.md Markdown 49L · 1.8 KB
│ ├─ 📝 input-schema.md Markdown 100L · 2.3 KB
│ ├─ 📝 issue-template.md Markdown 36L · 572 B
│ ├─ 🔑 required-secrets.md Markdown 31L · 1.2 KB
│ └─ 📝 setup-and-scheduling.md Markdown 118L · 2.2 KB
├─ 📁 scripts
│ ├─ 🔧 bootstrap-openclaw-workspace.sh Shell 45L · 1.8 KB
│ ├─ 📜 export-analytics-summary.mjs JavaScript 172L · 4.4 KB
│ ├─ 📜 export-asc-summary.mjs JavaScript 194L · 5.3 KB
│ ├─ 📜 openclaw-exporters-lib.mjs JavaScript 543L · 19.7 KB
│ ├─ 📜 openclaw-feedback-api.mjs JavaScript 260L · 7.9 KB
│ ├─ 🐍 openclaw-growth-charts.py Python 154L · 4.4 KB
│ ├─ 📜 openclaw-growth-engineer.mjs JavaScript 1141L · 36.7 KB
│ ├─ 📜 openclaw-growth-preflight.mjs JavaScript 871L · 25.7 KB
│ ├─ 📜 openclaw-growth-runner.mjs JavaScript 537L · 15.2 KB
│ ├─ 📜 openclaw-growth-shared.mjs JavaScript 211L · 6.9 KB
│ ├─ 📜 openclaw-growth-start.mjs JavaScript 379L · 10.1 KB
│ └─ 📜 openclaw-growth-wizard.mjs JavaScript 303L · 8.9 KB
├─ 📝 README.md Markdown 87L · 2.4 KB
└─ 📝 SKILL.md Markdown 137L · 5.0 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
matplotlib * pip No 无版本锁定
node (builtin) bundled system No Node.js 标准库

Security Positives

✓ 代码结构清晰,无混淆或反分析技术
✓ 所有网络请求指向官方 API(GitHub/Sentry/RevenueCat)
✓ 凭证仅通过 Authorization 头传递,无硬编码或外泄
✓ 无敏感路径访问(~/.ssh、~/.aws、.env)
✓ 无 base64 编码执行、eval 动态代码执行
✓ 无计划任务、持久化后门
✓ GitHub 操作仅限 issues/PR 创建,用途明确
✓ 遵循了 'Red Lines' 规则(不提交 secrets、不存储在 config.json)