ratemyclaw 安全扫描报告 — 低风险 | ClawSafe

20 /100

ratemyclaw

Scores an OpenClaw agent setup by scanning the workspace, generating local embeddings, and submitting taxonomy tags + embeddings to ratemyclaw.com for comparison.

A legitimate workspace-profiling tool that scans files and sends structured tags + embeddings to an external API. Minor documentation gaps around model config exposure, but no malicious behavior found.

技能名称ratemyclaw

分析耗时55.6s

引擎pi

✓

可以安装

Consider documenting model name transmission in SKILL.md and pinning scikit-learn to a specific version.

安全发现 4 项

严重性	安全发现	位置
低危	Model configuration transmitted without documentation 文档欺骗 The _detect_models() function reads ~/.openclaw/openclaw.json and extracts default_model, fallback_models, and heartbeat_model strings, which are included in the API submission payload. The SKILL.md 'What Gets Sent' section does not list model names, creating a doc-to-code mismatch. `models = {'default_model': None, 'fallback_models': [], 'heartbeat_model': None}` → Add model names to the 'What Gets Sent' section of SKILL.md, or remove model extraction from the submission payload.	`scripts/profile_generator.py:169`
低危	Dependency version not pinned 供应链 requirements.txt specifies 'scikit-learn>=1.0' with no upper bound. This allows pip to install any future version, which could introduce malicious or vulnerable code. `scikit-learn>=1.0` → Pin to a specific version, e.g., scikit-learn==1.5.2	`requirements.txt:1`
低危	Undeclared subprocess shell execution 权限提升 submit_profile.py executes pip install via subprocess.run() when scikit-learn is missing, but SKILL.md does not declare that this skill will execute shell commands. `subprocess.run([sys.executable, '-m', 'pip', 'install', '-r', str(req_file)])` → Declare subprocess/shell capability in SKILL.md metadata or remove the auto-install feature.	`scripts/submit_profile.py:164`
提示	Accesses .secrets directory but only reads file names 敏感访问 The scanner enumerates file names in ~/.openclaw/workspace/.secrets/ and includes them as integration signals. This is low-risk as only names (not contents) are read, and they are matched against a fixed taxonomy rather than exfiltrated raw. `elif subdir == '.secrets': signals['secrets'] = [f.name for f in items]` → No action needed; behavior is benign but could be documented.	`scripts/profile_generator.py:88`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md: workspace scan, scripts/profile_generator.py:31-100
网络访问	`WRITE`	`WRITE`	✓ 一致	SKILL.md: 'submits tags + embedding to ratemyclaw.com', scripts/submit_profile.p…
环境变量	`READ`	`READ`	✓ 一致	SKILL.md: RATEMYCLAW_API_KEY env var, scripts/submit_profile.py:25
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/submit_profile.py:164: subprocess.run(['pip', 'install', '-r', req_file]…
技能调用	`NONE`	`NONE`	—	No skill invocation observed
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

3 项发现

🔗

中危外部 URL 外部 URL

https://ratemyclaw.com**

README.md:7

🔗

中危外部 URL 外部 URL

https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2

README.md:19

🔗

中危外部 URL 外部 URL

https://ratemyclaw.com

SKILL.md:7

目录结构

8 文件 · 48.0 KB · 1403 行

Python 2f · 900L JSON 3f · 330L Markdown 2f · 172L Text 1f · 1L

├─ ▾ 📁 references

│ └─ 📋 taxonomy.json JSON 259L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 📋 generated_profile.json JSON 66L · 1.3 KB

│ ├─ 🐍 profile_generator.py Python 561L · 23.0 KB

│ └─ 🐍 submit_profile.py Python 339L · 12.0 KB

├─ 📋 _meta.json JSON 5L · 129 B

├─ 📝 README.md Markdown 62L · 2.3 KB

├─ 📄 requirements.txt Text 1L · 18 B

└─ 📝 SKILL.md Markdown 110L · 4.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`scikit-learn`	`>=1.0`	pip	否	Version not pinned; >=1.0 allows any version

安全亮点

✓ No credential theft: API keys and tokens are never read or exfiltrated

✓ No base64-encoded or obfuscated code found

✓ No remote script execution (curl|bash, wget|sh) detected

✓ No direct IP network requests; all traffic goes to ratemyclaw.com domain

✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env reading)

✓ No C2 communication or reverse shell patterns

✓ Taxonomy-based tagging limits data exposure to predefined labels only

✓ User confirmation required before API key generation

✓ Embedding generation is local (MiniLM/TF-IDF) before transmission

✓ Raw file contents are explicitly excluded from submissions per documentation

✓ Good: API key file saved with chmod 600

✓ Good: Input prompts support non-interactive --yes flag for automation