by 安全扫描
OpenClaw
可疑
medium confidenceThe package appears to implement the network/collaboration functionality it claims, but it instructs users to download and run code from an unauthenticated HTTP server at a raw IP, uses insecure defaults (no TLS/auth), and the installer behavior (pulling remote files) is inconsistent with the packaged files — these are security and coherence concerns you should understand before installing.
评估建议
Before installing, consider the following:
- Don't run curl | bash from an unknown IP over plain HTTP. The installer and quickstart point to http://3.148.174.81 and to one-line installers; that fetches and executes code from a remote host without TLS or authentication. This is the main risk.
- The skill bundle already contains client/server source. Yet the installer fetches files from the remote server IP — this inconsistency lets the remote host serve different code than what's packaged. If...详细分析 ▾
ℹ 用途与能力
The code implements a central server and client connector that match the skill's stated purpose (cross-device chat, mentions, task assignment). However, there is an inconsistency: the skill bundle already contains client and connector files, yet the included installer and documentation default to downloading client components from a remote IP (3.148.174.81) over HTTP. That external dependency is not explained by the description and is disproportionate to the local packaged assets.
⚠ 指令范围
Runtime instructions and the provided installer direct the agent/user to curl a remote install script and download client files from http://3.148.174.81. The installer also reads a local OpenClaw SOUL.md to auto-detect a bot name (reads a user file in the home directory). The skill's instructions therefore cause network downloads from an external IP and read a local config file; both are outside what a naive user might expect and increase risk.
⚠ 安装机制
There is no formal install spec, but assets/install-clawbot.sh is intended as a one-line installer. That script pulls python_client.py and clawbot_connector.py from a raw IP over plain HTTP and suggests piping install scripts via curl | bash. Downloading and executing code from an unauthenticated HTTP endpoint (IP address) and encouraging curl|bash is a high-risk pattern. The project also includes server/client code in the bundle — yet the installer still fetches from the remote server, which is inconsistent and potentially allows remote replacement of code.
ℹ 凭证需求
The skill does not request credentials or environment variables. It does, however, read a local OpenClaw SOUL.md to determine bot name and will store files under ~/.clawbot-network. The server and clients operate without authentication by default (no tokens enforced), exposing message and task APIs to anyone who can reach the server address. Dependencies in package.json include jsonwebtoken and bcryptjs (for auth), but the shipped server code does not enforce authentication, which is a mismatch between intended security and shipped defaults.
✓ 持久化与权限
The skill does not request 'always: true' or other elevated platform privileges. It creates files under the user's home directory (.clawbot-network) and runs user-level processes; it does not attempt to modify other skills or system settings. This is normal for a client connector.
安装前注意事项
- review the included server and client source thoroughly, (
- host the server yourself on a private/VPC network or local network, (
- enable TLS and token-based auth before connecting production devices, (
- avoid curl|bash against unknown IPs — download the package, audit it, and run locally in an isolated environment first. - Additional helpful info that would raise confidence: a verified maintainer or homepage, signed releases, installer hosted on a trusted domain with HTTPS, and server code that enforces authentication out of the box. Without those, treat this skill as suspicious and audit/cage it before use.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/11
Initial release: Distributed OpenClaw collaboration system
● 可疑
安装命令 点击复制
官方npx clawhub@latest install clawbot-network
镜像加速npx clawhub@latest install clawbot-network --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制