ClawHub

sec-audit

v1.0.0

对 OpenClaw 部署进行只读安全审计,检测环境泄露、认证配置、恶意 Skill 等已知风险和漏洞。

0· 1.1k·4 current·4 all-time
by@nx4dm1n
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, SKILL.md, package.json and the included tools/security-audit.js all describe and implement a local OpenClaw security audit (checking env vars, config files, gateway config, installed skills, IOC lookups, etc.). The resources accessed (~/.clawdbot or ~/.openclaw, installed skills, process.env) are coherent with an audit tool.
Instruction Scope
SKILL.md instructs the user to run node tools/security-audit.js and explicitly claims the tool is read-only and keeps results local. The script does enumerate process.env, recursively scans config and skill directories, reads multiple config files, and uses execSync (via safeExec) to run system commands. Those actions are within scope for a scanner, but they are powerful and could expose secrets (it enumerates env vars and reports masked values). Because the provided tools/security-audit.js content was truncated in the prompt, I cannot confirm there is no later code that performs network requests or writes data elsewhere — that uncertainty is the main reason for caution.
Install Mechanism
No install spec; the skill is instruction-and-file based. That is low risk compared to remote fetch/install steps. The package.json is simple and the main script is included in the bundle (no external downloads shown).
Credentials
The skill does not request any credentials or environment variables, but it enumerates all process.env entries and flags ones matching many sensitive patterns (AWS_, OPENAI_, etc.). Enumerating env vars is reasonable for this audit purpose, but it does mean the tool will see all your environment variables at runtime; the script masks values in its console report but still includes partial values. If you run it in an environment containing secrets, those values will be read by the script (and could be written to a local file if you use --output).
Persistence & Privilege
The skill does not request always: true and has no install hooks declared. It does not appear to modify other skills or system-wide settings based on the provided code. Autonomous invocation (disable-model-invocation: false) is the platform default and not itself a problem, but be mindful that an agent could run the script if allowed.
Scan Findings in Context
[child_process.execSync] expected: The script defines safeExec using child_process.execSync to run system commands; this is expected for a local audit (to check open ports, process lists, etc.). However execSync is a powerful primitive — review later code paths to ensure commands executed are limited to harmless probes and outputs are not transmitted off-host.
[process.env enumeration] expected: The tool explicitly enumerates process.env to find sensitive keys. This is expected for an environment-exposure audit, but it means the script will have access to all environment variables at runtime.
[recursive_file_search] expected: The script recursively searches home/config directories for files and SKILL.md; this is expected for scanning installed skills and configs, but it increases the scope of files the script reads.
What to consider before installing
This package appears to implement an on-host OpenClaw security auditor and is mostly coherent with that purpose, but exercise caution before running it on sensitive systems: - Review the entire tools/security-audit.js file yourself (search for any HTTP/HTTPS/fetch/axios/request usage, or net/socket code). The snippet you provided was truncated; ensure the full file contains no network calls or remote upload logic. - Run the tool first in a safe/test environment or inside an isolated container/VM so it cannot access production secrets or exfiltrate data if there is hidden logic. - If you must run it on a host with secrets, run it after reducing available environment variables (unset secrets) or run with a clean environment: e.g., in a dedicated container with only necessary vars. - Inspect produced outputs (console and any --output file) before sharing them; the script masks env values but may still include partial identifiers. - If you plan to allow an agent to invoke this skill autonomously, restrict that agent’s permissions and review logs of when the skill is executed. If you want, I can scan the remainder of tools/security-audit.js (the truncated portion) for network calls or suspicious behavior — provide the full file and I will re-evaluate and may upgrade/downgrade the verdict.

Like a lobster shell, security has layers — review code before you run it.

latestvk975v8z8yn9h1j7j49vdrshqjd80zs8t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments