扫描报告
15 /100
openclaw-security-policy-check
OpenClaw 网关安全自动化审计与配置检查工具
Security audit tool that reads OpenClaw config and runs CLI checks; legitimate security tool with no malicious behavior, though it accesses sensitive paths.
可以安装
Skill is safe to use. The execSync usage is declared and limited to running the official openclaw CLI. Consider adding explicit filesystem:READ and shell:READ permission declarations in SKILL.md.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Reads OpenClaw config file 敏感访问 | scripts/audit.cjs:28 |
| 低危 | Shell execution not explicitly declared 文档欺骗 | SKILL.md:15 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | READ | ✓ 一致 | scripts/audit.cjs:28 - path.join(os.homedir(), '.openclaw', 'openclaw.json') |
| 命令执行 | NONE | READ | ✓ 一致 | SKILL.md declares 'openclaw security audit --deep' execution |
目录结构
2 文件 · 6.7 KB · 236 行 JavaScript 1f · 196L
Markdown 1f · 40L
├─
▾
scripts
│ └─
audit.cjs
JavaScript
└─
SKILL.md
Markdown
安全亮点
✓ No data exfiltration - findings are only printed to console
✓ Token values are properly masked before display (first 8 chars only)
✓ Read-only mode - does not modify any files
✓ No network requests to external servers
✓ No base64 encoding or obfuscation
✓ No credential theft or harvesting for malicious purposes
✓ Limited and declared CLI execution (openclaw command only)
✓ Clean code with no hidden functionality