中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
automation-workflows
Design and implement automation workflows to save time and scale operations as a solopreneur
This is a legitimate automation-workflows skill for solopreneurs containing agent management, messaging, and cognitive memory scripts with no malicious behavior detected.
Skill Nameautomation-workflows
Duration51.9s
Enginepi
Safe to install
Approve for use. All scripts perform documented, benign operations (Telegram notifications, Discord channel management, Tavily search, ElevenLabs transcription). No credential theft, exfiltration, or obfuscation observed.

Findings 3 items

Severity Finding Location
Low
Hardcoded user-specific paths Sensitive Access
Several scripts reference C:\Users\Luffy\ paths and ~ for a specific user. This is a portability concern rather than a security issue, as the scripts are designed for a specific local installation of the OpenClaw toolchain.
LOG_DIR = Path("C:/Users/Luffy/clawd/logs")
→ Use environment variables or config file for log directory path instead of hardcoded user path.
 scripts/send_status_with_logging.py:19
Low
Hardcoded Telegram target ID Sensitive Access
Telegram target ID 7590912486 is hardcoded as default across multiple send_status scripts. While this is not credential theft, it means messages go to a specific user by default.
target = os.environ.get("TELEGRAM_TARGET", "7590912486")
→ Make target entirely environment-driven with no fallback to avoid accidental message routing.
 scripts/send_status.py:62
Low
SKILL.md declares no tools but scripts use subprocess and network APIs Doc Mismatch
SKILL.md is purely instructional documentation about automation workflows (no-code tools like Zapier/Make/n8n). It makes no capability declarations. The supporting scripts use subprocess and HTTP APIs, which is appropriate for the OpenClaw integration purpose.
Design and implement automation workflows to save time and scale operations as a solopreneur
→ This is not a true doc-to-code mismatch since SKILL.md is not intended to describe script capabilities - it's a human-facing workflow guide. No action needed.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Network NONE READ ✓ Aligned search.mjs:98 makes HTTPS POST to api.tavily.com; transcribe.sh:71 makes HTTPS P…
Filesystem NONE WRITE ✓ Aligned create-agent.sh:59-64 creates workspace directories; init_memory.sh:22-24 create…
Shell NONE WRITE ✓ Aligned send_status.py:73-87 runs clawdbot CLI via subprocess; create-agent.sh:107 calls…
Environment NONE READ ✓ Aligned search.mjs:87 reads TAVILY_API_KEY; transcribe.sh:47 reads ELEVENLABS_API_KEY; s…
10 findings
🔗
Medium External URL 外部 URL
https://openclaw.ai
README.md:3
🔗
Medium External URL 外部 URL
https://docs.openclaw.ai
README.md:538
🔗
Medium External URL 外部 URL
https://discord.com/invite/clawd
README.md:539
🔗
Medium External URL 外部 URL
https://clawhub.com
README.md:540
🔗
Medium External URL 外部 URL
https://staging.example.com
ci-cd.md:137
🔗
Medium External URL 外部 URL
https://discord.com/api/v10/channels/
scripts/rename_channel.py:51
🔗
Medium External URL 外部 URL
https://tavily.com
scripts/search.mjs:84
🔗
Medium External URL 外部 URL
https://api.tavily.com/search
scripts/search.mjs:100
🔗
Medium External URL 外部 URL
https://discord.com/api/v10/guilds/
scripts/setup_channel.py:51
🔗
Medium External URL 外部 URL
https://api.elevenlabs.io/v1/speech-to-text
scripts/transcribe.sh:71

File Tree

66 files · 289.3 KB · 9328 lines
Markdown 49f · 6452L Shell 6f · 1370L Python 8f · 1327L JavaScript 1f · 150L JSON 2f · 29L
├─ 📁 assets
│ ├─ 📁 templates
│ │ ├─ 📝 agents-memory-block.md Markdown 227L · 7.2 KB
│ │ ├─ 📋 decay-scores.json JSON 24L · 539 B
│ │ ├─ 📝 entity-template.md Markdown 20L · 348 B
│ │ ├─ 📝 episode-template.md Markdown 7L · 279 B
│ │ ├─ 📝 evolution.md Markdown 35L · 761 B
│ │ ├─ 📝 graph-index.md Markdown 11L · 317 B
│ │ ├─ 📝 IDENTITY.md Markdown 68L · 1.9 KB
│ │ ├─ 📝 MEMORY.md Markdown 30L · 850 B
│ │ ├─ 📝 pending-memories.md Markdown 18L · 511 B
│ │ ├─ 📝 pending-reflection.md Markdown 54L · 1.7 KB
│ │ ├─ 📝 procedure-template.md Markdown 18L · 321 B
│ │ ├─ 📝 reflection-log.md Markdown 28L · 579 B
│ │ ├─ 📝 relations.md Markdown 18L · 508 B
│ │ ├─ 📝 reward-log.md Markdown 10L · 256 B
│ │ ├─ 📝 reward-template.md Markdown 55L · 1.0 KB
│ │ └─ 📝 SOUL.md Markdown 97L · 3.2 KB
│ └─ 📝 operator-prompts.md Markdown 14L · 382 B
├─ 📁 references
│ ├─ 📝 architecture.md Markdown 1274L · 54.8 KB
│ ├─ 📝 command-cheatsheet.md Markdown 13L · 157 B
│ ├─ 📝 failure-handling.md Markdown 13L · 305 B
│ ├─ 📝 model-selection.md Markdown 15L · 320 B
│ ├─ 📝 plan-vs-build.md Markdown 17L · 251 B
│ ├─ 📝 question-handling.md Markdown 8L · 195 B
│ ├─ 📝 reflection-process.md Markdown 1186L · 40.7 KB
│ ├─ 📝 routing-prompt.md Markdown 67L · 1.7 KB
│ ├─ 📝 session-management.md Markdown 10L · 328 B
│ ├─ 📝 usage.md Markdown 201L · 5.2 KB
│ └─ 📝 workflow.md Markdown 12L · 336 B
├─ 📁 scripts
│ ├─ 🔧 create-agent.sh Shell 352L · 8.5 KB
│ ├─ 🔧 init_memory.sh Shell 147L · 5.1 KB
│ ├─ 🐍 monitor_task.py Python 273L · 9.1 KB
│ ├─ 🐍 rename_channel.py Python 192L · 6.6 KB
│ ├─ 📜 search.mjs JavaScript 150L · 3.9 KB
│ ├─ 🐍 send_status_websocket.py Python 113L · 3.1 KB
│ ├─ 🐍 send_status_with_logging.py Python 215L · 6.7 KB
│ ├─ 🐍 send_status.py Python 180L · 5.4 KB
│ ├─ 🐍 setup_channel.py Python 178L · 6.0 KB
│ ├─ 🐍 test_send_status.py Python 62L · 1.9 KB
│ ├─ 🔧 transcribe.sh Shell 104L · 2.3 KB
│ ├─ 🔧 upgrade_to_1.0.6.sh Shell 298L · 9.1 KB
│ └─ 🔧 upgrade_to_1.0.7.sh Shell 234L · 7.7 KB
├─ 📋 _meta.json JSON 5L · 139 B
├─ 📝 boundaries.md Markdown 59L · 2.2 KB
├─ 📝 ci-cd.md Markdown 176L · 3.4 KB
├─ 📝 corrections.md Markdown 36L · 1.0 KB
├─ 📝 debugging.md Markdown 136L · 3.5 KB
├─ 🐍 examples.py Python 114L · 3.1 KB
├─ 📝 heartbeat-rules.md Markdown 54L · 1.8 KB
├─ 📝 heartbeat-state.md Markdown 22L · 584 B
├─ 📝 HEARTBEAT.md Markdown 5L · 261 B
├─ 📝 learning.md Markdown 106L · 2.9 KB
├─ 📝 memory-template.md Markdown 75L · 1.2 KB
├─ 📝 memory.md Markdown 30L · 756 B
├─ 📝 openclaw-heartbeat.md Markdown 5L · 261 B
├─ 📝 operations.md Markdown 144L · 3.4 KB
├─ 📝 README.md Markdown 558L · 12.8 KB
├─ 📝 reflections.md Markdown 31L · 840 B
├─ 📝 scaling.md Markdown 125L · 2.9 KB
├─ 📝 scraping.md Markdown 139L · 3.9 KB
├─ 📝 selectors.md Markdown 84L · 2.3 KB
├─ 📝 setup.md Markdown 196L · 6.2 KB
├─ 📝 SKILL.md Markdown 267L · 10.1 KB
├─ 📝 testing.md Markdown 148L · 4.4 KB
├─ 🔧 upgrade_to_1.0.7.sh Shell 235L · 7.7 KB
├─ 📝 UPGRADE-1.0.7.md Markdown 265L · 6.8 KB
└─ 📝 UPGRADE.md Markdown 265L · 6.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
websocket-client unpinned pip No Used for Telegram WebSocket integration; no version constraint specified

Security Positives

✓ No base64-encoded or obfuscated code anywhere in the codebase
✓ No reverse shell, C2, or remote code execution mechanisms
✓ No credential harvesting or exfiltration - only legitimate third-party API calls (Tavily search, ElevenLabs STT, Discord API, Telegram WebSocket)
✓ No access to ~/.ssh, ~/.aws, or other sensitive credential paths
✓ No curl|bash or wget|sh remote script execution patterns
✓ All network calls go to known, legitimate third-party services over HTTPS
✓ subprocess usage is limited to local CLI tools (openclaw, clawdbot) which are part of the OpenClaw toolchain
✓ API keys read from environment variables only, not harvested from files or sent to third parties
✓ Backup operations in upgrade scripts before destructive changes
✓ Git-based audit trail via init_memory.sh