OpenClaw Vulnerability Checker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a legitimate OpenClaw security-audit helper, but users should review its local system checks, optional GitHub token request, and remediation commands before use.
Before installing, confirm you are comfortable with the agent running local OpenClaw, network, process, and firewall checks. Do not provide a broad GitHub token unless necessary; use least-privilege credentials. Treat the bundled vulnerability database as a template and approve any configuration or update commands before they run.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the skill may reveal local network/process/firewall details and, for remediation, can change how OpenClaw is exposed on the network.
The workflow includes local system inspection and examples that can change OpenClaw gateway configuration. These actions fit the public-access audit purpose, but they should remain user-approved.
运行 `lsof -i :3001` 或 `netstat -an | grep 3001` ... `ps aux | grep -E "tailscale|ngrok|frp"` ... `openclaw gateway config.patch --path gateway.bind --value 127.0.0.1`
Run read-only checks first, review outputs, and require explicit approval before applying `config.patch`, update, firewall, or tunnel-removal commands.
Providing a broad GitHub token could expose access to repositories beyond what is needed for a vulnerability check.
The skill discloses optional use of a GitHub Personal Access Token, but repo-scoped tokens can carry broad account or repository authority.
GitHub Security Advisories(如果用户提供了 GitHub token) ... 需要:GitHub Personal Access Token(有 repo 权限)
Prefer public advisory sources when possible, or use a fine-grained read-only token limited to the specific repository/security-advisory access needed; avoid pasting broad PATs into chat.
Manual dependency installation could pull whatever package versions are current in the user's environment.
The helper script documents a manual, unpinned package install while the supplied install spec does not provide a managed or pinned dependency path.
依赖: pip install requests beautifulsoup4
Install dependencies from trusted package sources and prefer pinned, reviewed versions if using the helper scripts.
Reports based on placeholder entries could create false alarms or false confidence if not checked against real advisories.
The included local vulnerability database is mostly placeholder/template content, so it should not be treated as authoritative vulnerability evidence.
### 待填充模板 ... CVE-2025-XXXXX ... 待添加实际漏洞数据
Verify any vulnerability result against official GitHub, NVD, CNNVD, or vendor advisories, and ignore template CVE placeholders as findings.