hawk-bridge 安全扫描报告 — 低风险 | ClawSafe

10 /100

hawk-bridge

OpenClaw Hook Bridge + context-hawk Python Memory Engine. Auto-capture memories on every reply, auto-inject relevant memories before each response.

hawk-bridge is a legitimate memory management plugin for OpenClaw AI agents with well-documented subprocess usage for LLM-based memory extraction, comprehensive sensitive data sanitization before storage, and no malicious behavior detected.

技能名称hawk-bridge

分析耗时65.9s

引擎pi

✓

可以安装

Approve for use. The skill's shell command usage (install.sh) and Python subprocess spawning (hawk-capture) are both explicitly declared and functionally necessary for its memory extraction architecture.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned dependency versions 供应链 package.json uses loose versioning (^0.26.2, ^6.21.0) without a lock file. pip install uses no version constraints. `"@lancedb/lancedb": "^0.26.2"` → Add package-lock.json and use `pip install lancedb==0.26.2 openai==6.21.0 rank-bm25==1.2.0` for reproducible builds	`package.json:12`
提示	IOC flags are documentation artifacts, not executable threats 文档欺骗 The pre-scan flagged 'curl \| bash' in README.de.md (line 413) and 'curl -fsSL https://ollama.com/install.sh \| sh' (line 154) as dangerous shell commands, and 'rm -rf ~' (SKILL.md line 275). All three are documented installation patterns, not active threats: (1) README describes install.sh as 'Ein-Befehl-Installationsprogramm (curl \| bash)' - a descriptor, not a command execution; (2) Ollama install is explicitly labeled OPTIONAL in install.sh; (3) SKILL.md line 275 shows 'rm -rf ~/.openclaw/hawk ~/.hawk' which targets the app's data directory, not root home. `curl -fsSL https://ollama.com/install.sh \| sh # optional` → No action needed - these are legitimate installation documentation	`README.de.md, SKILL.md:154`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Stores memories to ~/.hawk/lancedb/; declared in SKILL.md architecture
网络访问	`READ`	`READ`	✓ 一致	Makes API calls to embedding/LLM providers (Jina, Qianwen, Groq, Ollama)
命令执行	`WRITE`	`WRITE`	✓ 一致	install.sh runs npm/pip; hawk-capture spawns Python subprocess - both declared
环境变量	`READ`	`READ`	✓ 一致	Reads MINIMAX_API_KEY, OPENAI_API_KEY, OLLAMA_BASE_URL for configuration

3 严重 26 项发现

💀

严重危险命令危险 Shell 命令

curl -fsSL https://ollama.com/install.sh | sh

README.de.md:154

💀

严重危险命令危险 Shell 命令

curl | bash

README.de.md:413

💀

严重危险命令危险 Shell 命令

rm -rf ~

SKILL.md:275

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-green.svg

README.de.md:7

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/OpenClaw-2026.3%2B-brightgreen

README.de.md:8

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Node.js-%3E%3D18-brightgreen

README.de.md:9

🔗

中危外部 URL 外部 URL

https://nodejs.org

README.de.md:9

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Python-3.12%2B-blue

README.de.md:10

🔗

中危外部 URL 外部 URL

https://python.org

README.de.md:10

🔗

中危外部 URL 外部 URL

https://ollama.com/install.sh

README.de.md:154

🔗

中危外部 URL 外部 URL

https://jina.ai/

README.de.md:353

🔗

中危外部 URL 外部 URL

https://jina.ai/settings/

README.de.md:354

🔗

中危外部 URL 外部 URL

https://dashscope.console.aliyun.com/

README.md:511

🔗

中危外部 URL 外部 URL

https://dashscope.console.aliyun.com/apiKey

README.md:513

🔗

中危外部 URL 外部 URL

http://192.168.1.109:10808

README.md:527

🔗

中危外部 URL 外部 URL

https://dashscope.aliyuncs.com/api/v1

README.md:536

🔗

中危外部 URL 外部 URL

https://dashscope.console.aliyun.com/（可用阿里云账号）

README.zh-CN.md:487

🔗

中危外部 URL 外部 URL

https://jina.ai/（支持

README.zh-CN.md:499

🔗

中危外部 URL 外部 URL

https://jina.ai/（支援

README.zh-TW.md:354

🔗

中危外部 URL 外部 URL

https://api.minimaxi.com/v1

config.example.json:10

🔗

中危外部 URL 外部 URL

https://api.minimaxi.com/anthropic

config.example.json:16

🔗

中危外部 URL 外部 URL

https://deb.nodesource.com/setup_20.x

install.sh:144

🔗

中危外部 URL 外部 URL

https://api.jina.ai/v1/embeddings

src/embeddings.ts:125

🔗

中危外部 URL 外部 URL

https://api.cohere.ai/v1/embed

src/embeddings.ts:141

🔗

中危外部 URL 外部 URL

https://api.jina.ai/v1/rerank

src/retriever.ts:168

📧

提示邮箱邮箱地址

[email protected]

README.de.md:147

目录结构

31 文件 · 310.9 KB · 8622 行

Markdown 14f · 5914L TypeScript 10f · 1967L Shell 1f · 351L JSON 5f · 347L Python 1f · 43L

├─ ▾ 📁 python

│ └─ ▾ 📁 hawk_memory

│ └─ 🐍 __init__.py Python 43L · 1.7 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 hooks

│ │ ├─ ▾ 📁 hawk-capture

│ │ │ ├─ 📜 handler.ts TypeScript 495L · 17.1 KB

│ │ │ └─ 📝 HOOK.md Markdown 11L · 311 B

│ │ └─ ▾ 📁 hawk-recall

│ │ ├─ 📜 handler.ts TypeScript 140L · 4.9 KB

│ │ └─ 📝 HOOK.md Markdown 11L · 359 B

│ ├─ 📜 config.ts TypeScript 157L · 4.9 KB

│ ├─ 📜 constants.ts TypeScript 135L · 6.1 KB

│ ├─ 📜 embeddings.ts TypeScript 191L · 6.8 KB

│ ├─ 📜 index.ts TypeScript 20L · 679 B

│ ├─ 📜 lancedb.ts TypeScript 271L · 8.0 KB

│ ├─ 📜 retriever.ts TypeScript 334L · 11.0 KB

│ ├─ 📜 seed.ts TypeScript 153L · 5.3 KB

│ └─ 📜 types.ts TypeScript 71L · 1.6 KB

├─ 📋 config.example.json JSON 36L · 866 B

├─ 🔧 install.sh Shell 351L · 10.5 KB

├─ 📋 manifest.json JSON 96L · 3.6 KB

├─ 📋 openclaw.plugin.json JSON 169L · 4.5 KB

├─ 📋 package.json JSON 31L · 1.7 KB

├─ 📝 README.de.md Markdown 466L · 17.5 KB

├─ 📝 README.es.md Markdown 481L · 18.0 KB

├─ 📝 README.fr.md Markdown 481L · 18.1 KB

├─ 📝 README.it.md Markdown 466L · 17.3 KB

├─ 📝 README.ja.md Markdown 480L · 19.5 KB

├─ 📝 README.ko.md Markdown 481L · 18.1 KB

├─ 📝 README.md Markdown 652L · 23.2 KB

├─ 📝 README.pt-BR.md Markdown 466L · 17.3 KB

├─ 📝 README.ru.md Markdown 466L · 20.9 KB

├─ 📝 README.zh-CN.md Markdown 640L · 23.2 KB

├─ 📝 README.zh-TW.md Markdown 480L · 17.1 KB

├─ 📝 SKILL.md Markdown 333L · 10.2 KB

└─ 📋 tsconfig.json JSON 15L · 348 B

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`@lancedb/lancedb`	`^0.26.2`	npm	否	Version not pinned with lock file
`openai`	`^6.21.0`	npm	否	Version not pinned with lock file
`lancedb`	`*`	pip	否	No version constraint
`openai`	`*`	pip	否	No version constraint
`rank-bm25`	`*`	pip	否	No version constraint

安全亮点

✓ Comprehensive sensitive data sanitization before storage: API keys, AWS keys, GitHub tokens, phone numbers, emails, national IDs, and credit cards are redacted before memories are stored

✓ Harmful content filtering: CSAM, hacking, fraud, and violence patterns are rejected at capture time

✓ Audit logging: All capture/skip/reject/recall events logged to ~/.hawk/audit.log

✓ No external data exfiltration: All network calls are to declared embedding/LLM provider APIs

✓ Python subprocess timeout: 30-second SIGTERM timeout prevents runaway processes

✓ No hidden functionality: The 28-step text normalization pipeline is fully visible in handler.ts

✓ Deduplication: Char-based similarity check prevents near-duplicate memories

✓ TTL-based expiry: Memories auto-expire after 30 days, reducing long-term data exposure