openclaw-security-auditor 安全扫描报告 — 可疑 | ClawSafe

40 /100

openclaw-security-auditor

OpenClaw Security Auditor (OSA) - Comprehensive security auditing tool for OpenClaw deployments

OpenClaw security auditing tool with documented mismatch: SKILL.md claims read-only operation but config_fixer.py has write capabilities to modify system configs. No malicious behavior detected, but undeclared modification capability violates transparency principle.

技能名称openclaw-security-auditor

分析耗时53.7s

引擎pi

⚠

谨慎使用

Add explicit filesystem:WRITE declaration to SKILL.md if config modification is intended. Consider documenting which configuration paths can be modified and under what conditions. Add warning about automated changes vs manual approval.

安全发现 3 项

严重性	安全发现	位置
中危	Undeclared filesystem write capability 文档欺骗 SKILL.md states the skill is 'safe and non-destructive - it only reads configuration files' but config_fixer.py contains code to write modified configurations. This is a documentation mismatch where the code behavior is more powerful than documented. `with open(config_path, 'w', encoding='utf-8') as f: json.dump(config, f, indent=2, ensure_ascii=False)` → Update SKILL.md to explicitly declare filesystem:WRITE capability for config modification. Document which configuration paths can be modified and the safety mechanisms in place.	`scripts/config_fixer.py:52`
低危	Misleading 'never makes automatic changes' claim 文档欺骗 SKILL.md states 'never makes automatic changes without explicit user approval' but the skill includes scripts for automated remediation and fix application. While CLI usage requires arguments, the capability exists. `The skill is designed to be safe and non-destructive - it only reads configuration files and provides recommendations, never makes automatic changes without explicit user approval.` → Clarify documentation: if automated fixes can be applied through scripts, state the conditions and safeguards. If truly manual-only, remove automated remediation script references.	`SKILL.md:85`
低危	Access to OpenClaw configuration directory 敏感访问 Skill reads and potentially modifies ~/.openclaw/ configuration directory. This contains security-sensitive settings including tokens and authentication configuration. `config_path = Path.home() / ".openclaw" / "openclaw.json"` → This is legitimate for a security auditing tool. Ensure backup procedures (implemented in config_fixer.py) are always invoked before any modifications.	`scripts/security_scanner.py:25`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✗ 越权	scripts/config_fixer.py:52 - json.dump(config, f)

2 项发现

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/security

scripts/report_generator.py:143

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/best-practices

scripts/report_generator.py:145

目录结构

7 文件 · 40.0 KB · 1218 行

Python 4f · 688L Markdown 3f · 530L

├─ ▾ 📁 references

│ ├─ 📝 config-guide.md Markdown 181L · 5.5 KB

│ └─ 📝 security-modes.md Markdown 142L · 3.6 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 config_fixer.py Python 157L · 5.1 KB

│ ├─ 🐍 report_generator.py Python 310L · 11.2 KB

│ └─ 🐍 security_scanner.py Python 176L · 6.1 KB

├─ 📝 SKILL.md Markdown 207L · 7.2 KB

└─ 🐍 test_skill.py Python 45L · 1.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`osa`	`unknown`	external import	否	Imported as 'openclaw-security-auditor' package - not locally defined, external dependency

安全亮点

✓ No credential harvesting - skill audits config but does not extract secrets

✓ No data exfiltration - no external data transmission observed

✓ No obfuscation - all code is readable plaintext Python

✓ No base64-encoded payloads or eval() calls

✓ No suspicious network connections (external URLs only in generated report text, not executed)

✓ No ~/.ssh, ~/.aws, or .env file access attempts

✓ Backup mechanism implemented before config modification (config_fixer.py:17)

✓ Supports dry-run mode for config_fixer (--dry-run argument)