OCAX Passport
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Hardware and node identity details may be reused in later skill responses during the same running session.
The skill keeps a generated passport object in process memory for reuse, which can include node name, owner name, and local hardware profile data.
# 全局 passport 实例
_passport = None
...
if _passport is None:
_passport = generate_passport(node_name, owner)
return _passportUse non-sensitive node and owner names, and review the passport output before sharing it outside the local conversation.
If enabled, the skill may continue periodically refreshing local node information while the process is running.
The documentation includes an optional periodic auto-update call, indicating the skill can refresh node data on a schedule when enabled.
# 启用自动更新 passport.enable_auto_update(86400) # 24小时
Enable auto-update only when periodic refresh is desired, and stop or restart the process if you no longer want it active.
A future install could pull a different psutil release than the one originally tested by the skill author.
The dependency is declared with a lower-bound version rather than a pinned exact version, so future installs may resolve to newer package versions.
psutil>=5.9.0
Install from trusted package indexes and consider pinning dependency versions in controlled environments.