安全决策报告
openclaw-security-auditor
OpenClaw security auditing tool with documented mismatch: SKILL.md claims read-only operation but config_fixer.py has write capabilities to modify system configs. No malicious behavior detected, but undeclared modification capability violates transparency principle.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Undeclared filesystem write access +20
SKILL.md states skill is 'safe and non-destructive' and 'only reads configuration files' but config_fixer.py writes modified configs
Documentation framing mismatch +10
SKILL.md says 'never makes automatic changes without explicit user approval' but automated remediation section exists
Missing security boundary declarations +10
No documentation of what paths can be modified or what protections prevent unintended changes
最关键的证据
中危 文档欺骗
Undeclared filesystem write capability
SKILL.md states the skill is 'safe and non-destructive - it only reads configuration files' but config_fixer.py contains code to write modified configurations. This is a documentation mismatch where the code behavior is more powerful than documented.
scripts/config_fixer.py:52 Update SKILL.md to explicitly declare filesystem:WRITE capability for config modification. Document which configuration paths can be modified and the safety mechanisms in place.
低危 文档欺骗
Misleading 'never makes automatic changes' claim
SKILL.md states 'never makes automatic changes without explicit user approval' but the skill includes scripts for automated remediation and fix application. While CLI usage requires arguments, the capability exists.
SKILL.md:85 Clarify documentation: if automated fixes can be applied through scripts, state the conditions and safeguards. If truly manual-only, remove automated remediation script references.
低危 敏感访问
Access to OpenClaw configuration directory
Skill reads and potentially modifies ~/.openclaw/ configuration directory. This contains security-sensitive settings including tokens and authentication configuration.
scripts/security_scanner.py:25 This is legitimate for a security auditing tool. Ensure backup procedures (implemented in config_fixer.py) are always invoked before any modifications.
声明能力 vs 实际能力
文件系统 阻止
声明 READ
→ 推断 WRITE
scripts/config_fixer.py:52 - json.dump(config, f) 可疑产物与外联
中危 外部 URL
https://docs.openclaw.ai/security scripts/report_generator.py:143
中危 外部 URL
https://docs.openclaw.ai/best-practices scripts/report_generator.py:145
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| osa | unknown | external import | 否 | Imported as 'openclaw-security-auditor' package - not locally defined, external dependency |
文件构成
7 个文件 · 1218 行
Python 4 个文件 · 688 行Markdown 3 个文件 · 530 行
需关注文件 · 4
scripts/report_generator.py https://docs.openclaw.ai/security · https://docs.openclaw.ai/best-practices
SKILL.md Misleading 'never makes automatic changes' claim
scripts/security_scanner.py Access to OpenClaw configuration directory
scripts/config_fixer.py Undeclared filesystem write capability
其他文件 · config-guide.md · security-modes.md · test_skill.py
安全亮点
No credential harvesting - skill audits config but does not extract secrets
No data exfiltration - no external data transmission observed
No obfuscation - all code is readable plaintext Python
No base64-encoded payloads or eval() calls
No suspicious network connections (external URLs only in generated report text, not executed)
No ~/.ssh, ~/.aws, or .env file access attempts
Backup mechanism implemented before config modification (config_fixer.py:17)
Supports dry-run mode for config_fixer (--dry-run argument)