中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:19 hr ago Rescan
20 /100
chatclaw
Connect your OpenClaw bot to the ChatClaw cloud dashboard for real-time remote chat, token tracking, and task management
ChatClaw is a legitimate message relay skill that connects local OpenClaw agents to a cloud dashboard via WebSocket tunnels. No malicious behavior detected; all declared capabilities match implementation.
Skill Namechatclaw
Duration44.5s
Enginepi
Safe to install
Approve for use. Consider pinning dependency versions in requirements.txt to reduce supply chain risk.

Findings 1 items

Severity Finding Location
Low
Dependencies not version-pinned Supply Chain
requirements.txt specifies dependencies with minimum version constraints only (>=) without upper bounds or exact versions. This allows installing potentially incompatible or compromised future versions.
websockets>=12.0
cryptography>=41.0
aiohttp>=3.9
→ Pin exact versions or use acceptable range constraints (e.g., 'websockets>=12.0,<13.0') to reduce supply chain risk.
 requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned main.py:52-80 - reads/writes openclaw.json; gateway_client.py:45-68 - reads iden…
Network READ READ ✓ Aligned relay_client.py:30 - connects to wss://api.sumeralabs.com; gateway_client.py:170…
Shell NONE NONE No subprocess, os.system, or shell command execution found
Environment READ READ ✓ Aligned gateway_client.py:23-29 - reads OPENCLAW_DATA_DIR only; main.py:65-66 - reads CH…
Skill Invoke NONE NONE No skill invocation or LLM prompt manipulation detected
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser automation found
Database NONE NONE No database access found
4 findings
🔗
Medium External URL 外部 URL
https://app.chatclaw.com
README.md:9
🔗
Medium External URL 外部 URL
https://opensource.org/licenses/MIT-0
README.md:89
🔗
Medium External URL 外部 URL
https://chatclaw.com
SKILL.md:6
🔗
Medium External URL 外部 URL
https://app.chatclaw.com/setup
SKILL.md:89

File Tree

6 files · 37.9 KB · 975 lines
Python 3f · 707L Markdown 2f · 266L Text 1f · 2L
├─ 🐍 gateway_client.py Python 322L · 12.7 KB
├─ 🐍 main.py Python 300L · 11.5 KB
├─ 📝 README.md Markdown 89L · 2.6 KB
├─ 🐍 relay_client.py Python 85L · 3.2 KB
├─ 📄 requirements.txt Text 2L · 48 B
└─ 📝 SKILL.md Markdown 177L · 7.8 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
websockets >=12.0 pip No Version not pinned - allows any 12.x+ version
cryptography >=41.0 pip No Version not pinned - allows any 41.x+ version
aiohttp >=3.9 pip No Version not pinned - allows any 3.9+ version

Security Positives

✓ Comprehensive SKILL.md documentation with explicit transparency notes about cloud infrastructure operators
✓ All file access scoped to $OPENCLAW_DATA_DIR with declared purpose (identity files, config, sessions)
✓ No shell execution or subprocess usage - pure asyncio/websocket architecture
✓ No credential exfiltration - API key used only for authentication to declared cloud relay
✓ No obfuscation or anti-analysis techniques detected
✓ Clean code with proper error handling and atomic file writes
✓ Sensitive files (~/.ssh, ~/.aws, .env) never accessed
✓ Ed25519 cryptography for authentication - modern and secure
✓ Auto-revert mechanism for config patches on skill disable
✓ Exponential backoff reconnection with 60s cap