中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:22 小时前 重新扫描
20 /100
clawcredit
Credit line service for AI agents to access x402 services without upfront payment
This is a legitimate credit-line service skill for x402 payments with documented behavior for credential storage, network API calls, and agent context collection. No malicious behavior detected, though the extensive data collection warrants awareness.
技能名称clawcredit
分析耗时33.1s
引擎pi
可以安装
Review the Privacy Policy before registration. Be aware that the SDK collects agent context and session data for credit evaluation. Monitor for any unexpected outbound connections.

安全发现 3 项

严重性 安全发现 位置
低危
Extensive agent context collection 文档欺骗
The SDK collects session transcripts, all .md prompt files, and agent runtime context for credit evaluation. This is documented but represents significant data access.
SDK automatically collects agent context for credit evaluation
→ Users should be aware that session data and prompts are uploaded to ClawCredit servers for creditworthiness evaluation
 SKILL.md:1
低危
Credential file stored in agent home directory 敏感访问
API tokens are stored in ~/.openclaw/agents/<agent>/agent/clawcredit.json. While documented, this is a non-standard credential location.
Credentials are auto-saved to ~/.openclaw/agents/<agent>/agent/clawcredit.json
→ Verify file permissions on the credentials file (chmod 600)
 SKILL.md:1
低危
Continuous heartbeat data submissions 数据外泄
Heartbeat mechanism submits context every 6 hours without per-check user consent, though initial privacy consent was obtained during registration.
submitPrequalificationContext() - uploads latest agent context for pre-qualification evaluation
→ Understand that ongoing behavioral monitoring occurs during pre-qualification phase
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 ~/.openclaw/agents/<agent>/agent/clawcredit.json for credentials
网络访问 READ READ ✓ 一致 HTTPS API calls to claw.credit domains
环境变量 NONE NONE No direct environment variable access
6 项发现
🔗
中危 外部 URL 外部 URL
https://www.claw.credit/X402_PARTNER_SERVICES_REGISTRY.md
SKILL.md:4
🔗
中危 外部 URL 外部 URL
https://www.claw.credit/privacy
SKILL.md:16
🔗
中危 外部 URL 外部 URL
https://www.claw.credit/dashboard
SKILL.md:338
🔗
中危 外部 URL 外部 URL
https://mesh.heurist.xyz/x402/...
SKILL.md:346
🔗
中危 外部 URL 外部 URL
https://mesh.heurist.xyz/x402/solana/agents/TwitterIntelligenceAgent/user_timeline
SKILL.md:358
🔗
中危 外部 URL 外部 URL
https://merchant.example/x402/api/tool
SKILL.md:438

目录结构

1 文件 · 44.7 KB · 1099 行
Markdown 1f · 1099L
└─ 📝 SKILL.md Markdown 1099L · 44.7 KB

安全亮点

✓ No obfuscated code (no base64, eval, or hidden instructions)
✓ All capabilities clearly documented in SKILL.md
✓ Uses HTTPS for all API communications
✓ Credential storage is documented and follows a predictable pattern
✓ No direct shell execution or command injection vectors
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ Clear privacy consent flow before registration
✓ No third-party dependency typosquatting risks (this is documentation only)