acetoolz-password 安全扫描报告 — 低风险 | ClawSafe

20 /100

acetoolz-password

Generate secure passwords via the AceToolz API

Skill is a documentation-only prompt for password generation via external API but declares insufficient permissions for implied shell execution.

技能名称acetoolz-password

分析耗时21.8s

引擎pi

✓

可以安装

Add 'shell:WRITE' to the permissions array in the frontmatter to accurately reflect the curl command execution requirement.

安全发现 1 项

严重性	安全发现	位置
中危	Shell execution permission not declared 权限提升 The skill instructs using 'exec' to run curl commands but only declares 'network:outbound' permission. Shell:WRITE permission is implicitly required for the curl command execution. Use `exec` to call the AceToolz API... → Update permissions array to include 'shell:WRITE' or clarify that 'exec' maps to a tool with shell execution capability.	`SKILL.md:21`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:7 - permissions: ['network:outbound']
命令执行	`NONE`	`WRITE`	✗ 越权	SKILL.md:21-27 - curl command requires shell execution

3 项发现

🔗

中危外部 URL 外部 URL

https://www.acetoolz.com/generate/tools/password-generator

SKILL.md:18

🔗

中危外部 URL 外部 URL

https://www.acetoolz.com/api/openclaw/password-generator

SKILL.md:31

🔗

中危外部 URL 外部 URL

https://www.acetoolz.com

SKILL.md:69

1 文件 · 2.8 KB · 76 行

Markdown 1f · 76L

└─ 📝 SKILL.md Markdown 76L · 2.8 KB

✓ No actual code/scripts present - purely documentation

✓ No credential theft or sensitive data access

✓ API endpoint is clearly documented (acetoolz.com)

✓ No obfuscation or suspicious encoding detected

✓ No data exfiltration beyond the declared API call

✓ Error handling is appropriately documented