clawclone 安全扫描报告 — 可疑 | ClawSafe

45 /100

clawclone

Backup, clone, and migrate OpenClaw data across instances with cloud upload/download

ClawClone skill documents backup of API keys and tokens with cloud upload capability, but the implementation file (clawclone.mjs) is missing, making it impossible to verify actual behavior.

技能名称clawclone

分析耗时32.2s

引擎pi

⚠

谨慎使用

Do not use until implementation files are provided and reviewed. The documented ability to backup credentials to an external cloud service raises significant data exfiltration concerns.

安全发现 4 项

严重性	安全发现	位置
高危	Missing implementation file 文档欺骗 SKILL.md references 'clawclone.mjs' for all operations, but this file does not exist in the skill directory. Unable to verify actual functionality. `node clawclone.mjs push --name...` → Request implementation files before using this skill. Cannot verify stated functionality without code.	`SKILL.md:1`
高危	Documented credential backup capability 凭证窃取 SKILL.md explicitly states 'Config: Optional: API keys and tokens (if configured)' can be included in backups and uploaded to cloud. `\| Config \| Optional: API keys and tokens (if configured) \|` → Remove credential backup capability or provide verifiable safeguards. Users should never backup credentials automatically.	`SKILL.md:23`
中危	Undeclared shell execution 文档欺骗 SKILL.md documents node command execution but shell:WRITE permission is not declared in the metadata. `requires: bins: ['node', 'tar', 'npm']` → Declare shell:WRITE permission if subprocess execution is required.	`SKILL.md:6`
低危	Hardcoded API key placeholder 敏感访问 SKILL.md contains example with hardcoded API key placeholder at line 209. `export CLAWCLONE_API_KEY='your_clawclone_api_key'` → Use placeholder text like <YOUR_API_KEY> instead of 'your_clawclone_api_key' to avoid accidental credential exposure.	`SKILL.md:209`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md:8 'write: ~/.openclaw/'
网络访问	`READ`	`WRITE`	✗ 越权	SKILL.md:9 'network: https' but upload operations implied
命令执行	`NONE`	`WRITE`	✗ 越权	SKILL.md documents node clawclone.mjs execution

1 高危 3 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_clawclone_api_key"

SKILL.md:209

🔗

中危外部 URL 外部 URL

https://clawclone.cc

SKILL.md:3

🔗

中危外部 URL 外部 URL

https://clawclone.cc/dashboard/settings

SKILL.md:49

目录结构

2 文件 · 5.7 KB · 231 行

Markdown 1f · 220L JSON 1f · 11L

├─ 📋 package.json JSON 11L · 293 B

└─ 📝 SKILL.md Markdown 220L · 5.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`node`	`>=16.0.0`	system	否	System dependency, not a package manager dependency

安全亮点

✓ SKILL.md is well-structured and documents functionality clearly

✓ Test mode (--test flag) available for safe preview before operations

✓ Local operations don't require API key - cloud features are optional

✓ Pre-restore backups created automatically at ~/.openclaw/backup