中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
openclaw-workflow
OC-Flow: Deterministic workflow engine for OpenClaw via YAML playbooks — conditionals, loops, scripts, LLM/Agent/Skill calls, subagents, HTTP, messaging.
OpenClaw Workflow is a legitimate deterministic YAML workflow engine for OpenClaw with no malicious behavior. All capabilities are declared or are obvious features of a workflow automation tool. Minor documentation gap on filesystem:WRITE but does not constitute a security risk.
技能名称openclaw-workflow
分析耗时71.5s
引擎pi
可以安装
No action required. This is a genuine OpenClaw skill. Monitor for any suspicious workflow YAML files that may be shared/mounted into the engine.

安全发现 5 项

严重性 安全发现 位置
低危
Undeclared filesystem WRITE permission
The script node writes inline Python code to temp files before executing it. SKILL.md declares 'script' node but does not explicitly state filesystem WRITE capability. The filesystem:WRITE permission is not declared in allowed-tools mapping.
with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as f:
            f.write(ctx.resolve(inline))
            tmp_path = f.name
→ Add filesystem:WRITE to allowed-tools mapping in SKILL.md metadata if the skill's declared permissions are meant to be explicit.
 scripts/engine/nodes.py:43
提示
Arbitrary shell command execution in script node
The script node uses subprocess.run(shell=True) with user-supplied commands. This is expected for a workflow automation tool and is implied by the 'script' node documentation in SKILL.md.
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=timeout, cwd=cwd, env={**os.environ, **{k: str(v) for k, v in (step.get('env') or {}).items()}})
→ No action needed — this is the declared functionality of the script node.
 scripts/engine/nodes.py:56
提示
CLI-based Gateway RPC
The GatewayBridge uses subprocess to call 'openclaw gateway call' CLI commands. This is the intended integration mechanism with OpenClaw, not a covert channel.
subprocess.run(['openclaw', 'gateway', 'call', method, '--json', ...])
→ No action needed — this is the documented OpenClaw integration mechanism.
 scripts/engine/bridge.py:205
提示
Sandbox restricts dangerous builtins
The code node sandbox properly excludes dangerous builtins like os.system, subprocess, eval, exec, and __import__. Allowed modules are whitelisted. This is well-designed security for a code execution feature.
SAFE_BUILTINS = {...} (no os.system, subprocess, eval, exec, __import__)
→ No action needed — sandbox is well-designed.
 scripts/engine/sandbox.py:15
提示
Requirements pinned with lower bounds
requirements.txt specifies 'pyyaml>=6.0' and 'streamlit>=1.30.0'. These are acceptable with lower-bound pinning for a skill package.
pyyaml>=6.0
streamlit>=1.30.0
→ Consider exact pinning for production, but lower-bound is acceptable for skill packages.
 scripts/requirements.txt:1
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 scripts/engine/nodes.py:run_script (tempfile.NamedTemporaryFile)
命令执行 NONE WRITE ✓ 一致 scripts/engine/nodes.py:run_script — subprocess.run with user command, implied b…
网络访问 NONE READ ✓ 一致 scripts/engine/nodes.py:run_http — urllib HTTP requests; SKILL.md declares 'http…
环境变量 NONE READ ✓ 一致 scripts/engine/context.py:_resolve_path — env.VAR access; SKILL.md documents {{e…
技能调用 NONE WRITE ✓ 一致 scripts/engine/nodes.py:run_skill — Gateway bridge calls OpenClaw skills; SKILL.…
剪贴板 NONE NONE N/A
浏览器 NONE NONE N/A
数据库 NONE NONE N/A
6 项发现
🔗
中危 外部 URL 外部 URL
https://api.example.com/data
SKILL.md:91
🔗
中危 外部 URL 外部 URL
https://api.example.com/v1/report
SKILL.md:528
🔗
中危 外部 URL 外部 URL
https://httpbin.org/get
references/examples/comprehensive_test.yaml:183
🔗
中危 外部 URL 外部 URL
https://httpbin.org/post
references/examples/comprehensive_test.yaml:202
🔗
中危 外部 URL 外部 URL
https://official-joke-api.appspot.com/random_joke
references/examples/http_pipeline.yaml:17
🔗
中危 外部 URL 外部 URL
https://httpbin.org/ip
references/examples/http_pipeline.yaml:42

目录结构

21 文件 · 223.6 KB · 6276 行
Python 9f · 4505L Markdown 4f · 923L YAML 7f · 846L Text 1f · 2L
├─ 📁 references
│ ├─ 📁 examples
│ │ ├─ 📋 basic_test.yaml YAML 102L · 2.4 KB
│ │ ├─ 📋 comprehensive_test.yaml YAML 410L · 13.9 KB
│ │ ├─ 📋 deep_integration.yaml YAML 31L · 1.1 KB
│ │ ├─ 📋 error_handling.yaml YAML 56L · 1.2 KB
│ │ ├─ 📋 http_pipeline.yaml YAML 54L · 1.4 KB
│ │ ├─ 📋 openclaw_integration.yaml YAML 54L · 1.5 KB
│ │ └─ 📋 subagent_test.yaml YAML 139L · 5.1 KB
│ └─ 📝 readme.md Markdown 111L · 4.1 KB
├─ 📁 scripts
│ ├─ 📁 engine
│ │ ├─ 🐍 __init__.py Python 5L · 107 B
│ │ ├─ 🐍 bridge.py Python 1133L · 44.8 KB
│ │ ├─ 🐍 context.py Python 233L · 8.4 KB
│ │ ├─ 🐍 engine.py Python 859L · 32.8 KB
│ │ ├─ 🐍 nodes.py Python 1269L · 48.6 KB
│ │ ├─ 🐍 sandbox.py Python 138L · 4.4 KB
│ │ └─ 🐍 schema.py Python 176L · 6.0 KB
│ ├─ 🐍 dashboard.py Python 495L · 17.9 KB
│ ├─ 🐍 openclaw_workflow.py Python 197L · 6.1 KB
│ └─ 📄 requirements.txt Text 2L · 30 B
├─ 📝 README_ZH.md Markdown 48L · 1.2 KB
├─ 📝 README.md Markdown 48L · 1.3 KB
└─ 📝 SKILL.md Markdown 716L · 21.4 KB

依赖分析 2 项

包名版本来源已知漏洞备注
pyyaml >=6.0 pip Lower-bound pinning, acceptable for skill package
streamlit >=1.30.0 pip Lower-bound pinning, dashboard only

安全亮点

✓ No base64-encoded payloads piped into bash
✓ No direct IP network requests to external servers
✓ No eval(), atob(), or dynamic code execution on untrusted input
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
✓ No curl|bash or wget|sh remote script execution
✓ No credential harvesting or data exfiltration
✓ No hidden functionality — all features are present in SKILL.md (script node implies shell access)
✓ Sandbox properly excludes dangerous builtins (os.system, subprocess, eval, exec, __import__)
✓ Module imports in sandbox are whitelisted
✓ Session cleanup in finally block prevents resource leaks
✓ Clean architecture: Gateway RPC for AI calls, local subprocess for CLI tools
✓ Requirements use version pinning with lower bounds