Security Sweep — Skill & Plugin Auditor
Scans OpenClaw skills and plugins for:
- 1. Hardcoded secrets — API keys, tokens, passwords in code
- Dangerous exec patterns — shell injection, eval, unsanitized child_process calls
- Dependency vulnerabilities — npm audit failures
- Network egress — unexpected outbound connections
- Input injection — unsanitized user input reaching exec/file/eval
Scan Scope
Built-in skills (read-only, bundled with OpenClaw CLI):
�CODEBLOCK0
Workspace skills (user-installed):
�CODEBLOCK1
Workflow
Full Sweep
Run the comprehensive scan script:
�CODEBLOCK2
Quick Scan (fast patterns only)
�CODEBLOCK3
Single Skill Scan
�CODEBLOCK4
NPM Audit (workspace skills with package.json)
�CODEBLOCK5
Risk Categories
| Level | Finding | Action |
|---|
| 🔴 CRITICAL | Hardcoded secret (api_key, token, password) | Remove immediately, rotate credential |
| 🔴 CRITICAL |
eval() on untrusted input | Replace with safe alternative |
| 🟠 HIGH |
exec(),
spawn() with string concatenation | Use execFile with array args |
| 🟠 HIGH | Shell injection surface (bash -c, ${var} in shell) | Sanitize or use execFile |
| 🟡 MEDIUM | npm audit findings (any severity) | Review and update dependencies |
| 🟡 MEDIUM | Unexpected network egress | Verify necessity, document purpose |
| 🟢 LOW | File permission too broad (0o777) | Restrict to 0o644/0o755 |
| 🟢 INFO | process.env leak in logs | Ensure logs redact env vars |
Reporting
Reports are saved to ~/.openclaw/security-sweep-<date>.txt.
Include report path in memory after each scan.
Periodic Scanning
Offer to schedule weekly security sweeps via cron:
�CODEBLOCK6
Sharing / ClawHub Publishing
Before publishing a skill to ClawHub:
- 1. Run full sweep
- Fix all CRITICAL/HIGH findings
- Verify no secrets in SKILL.md or any scripts
- Confirm npm audit passes with 0 vulnerabilities
- Document all required env vars in SKILL.md
Notes
- - Bundled skills (read-only, no write during scan)
- Workspace skills are editable — fix findings directly
- Some
execFile usage is legitimate (openclaw CLI calls) — review context - INLINECODE5� access is fine; concern is env vars leaking to untrusted processes
安全扫描 — 技能与插件审计器
扫描 OpenClaw 技能和插件中的以下内容:
- 1. 硬编码密钥 — 代码中的 API 密钥、令牌、密码
- 危险执行模式 — shell 注入、eval、未净化的 child_process 调用
- 依赖漏洞 — npm audit 失败项
- 网络出口 — 意外的出站连接
- 输入注入 — 未净化的用户输入到达 exec/file/eval
扫描范围
内置技能(只读,随 OpenClaw CLI 捆绑):
$(brew --prefix)/Cellar/openclaw-cli/<版本>/libexec/lib/node_modules/openclaw/skills/
工作区技能(用户安装):
~/.openclaw/workspace/skills/
工作流程
全面扫描
运行综合扫描脚本:
bash
SKILLSDIR=$(brew --prefix)/Cellar/openclaw-cli/2026.3.24/libexec/lib/nodemodules/openclaw/skills
WS_DIR=$HOME/.openclaw/workspace/skills
REPORTDATE=$(date +%Y%m%d%H%M%S)
REPORTFILE=$HOME/.openclaw/security-sweep-${REPORTDATE}.txt
bash ~/.openclaw/workspace/skills/security-sweep/scripts/full-scan.sh \
--builtin $SKILLS_DIR \
--workspace $WS_DIR \
--output $REPORT_FILE
快速扫描(仅快速模式)
bash
bash ~/.openclaw/workspace/skills/security-sweep/scripts/quick-scan.sh \
--dir $HOME/.openclaw/workspace/skills
单个技能扫描
bash
bash ~/.openclaw/workspace/skills/security-sweep/scripts/skill-scan.sh \
--skill /path/to/skill
NPM 审计(包含 package.json 的工作区技能)
bash
bash ~/.openclaw/workspace/skills/security-sweep/scripts/npm-audit.sh \
--workspace $HOME/.openclaw/workspace/skills
风险分类
| 级别 | 发现项 | 操作 |
|---|
| 🔴 严重 | 硬编码密钥(api_key、token、password) | 立即移除,轮换凭证 |
| 🔴 严重 |
对不可信输入使用 eval() | 替换为安全替代方案 |
| 🟠 高 | 使用字符串拼接的 exec()、spawn() | 使用带数组参数的 execFile |
| 🟠 高 | Shell 注入面(bash -c、shell 中的 ${var}) | 净化或使用 execFile |
| 🟡 中 | npm audit 发现项(任意严重级别) | 审查并更新依赖 |
| 🟡 中 | 意外的网络出口 | 验证必要性,记录用途 |
| 🟢 低 | 文件权限过于宽松(0o777) | 限制为 0o644/0o755 |
| 🟢 信息 | 日志中泄露 process.env | 确保日志对环境变量进行脱敏 |
报告
报告保存至 ~/.openclaw/security-sweep-<日期>.txt。
每次扫描后将报告路径记录到记忆中。
定期扫描
提供通过 cron 安排每周安全扫描的选项:
bash
openclaw cron add \
--name security-sweep \
--every 604800 \
--sessionTarget isolated \
--payload {kind:agentTurn,message:对所有技能运行安全扫描。报告发现项。将报告保存至 ~/.openclaw/security-sweep-<日期>.txt,如发现任何严重问题,在 memory/YYYY-MM-DD.md 中记录。}
分享 / ClawHub 发布
在向 ClawHub 发布技能之前:
- 1. 运行全面扫描
- 修复所有严重/高风险发现项
- 验证 SKILL.md 或任何脚本中无密钥
- 确认 npm audit 通过且漏洞数为 0
- 在 SKILL.md 中记录所有必需的环境变量
备注
- - 捆绑技能(只读,扫描期间不可写入)
- 工作区技能可编辑 — 直接修复发现项
- 某些 execFile 使用是合法的(openclaw CLI 调用)— 需审查上下文
- process.env 访问没问题;需关注的是环境变量泄露给不可信进程
