by 安全扫描
OpenClaw
可疑
medium confidenceThe skill largely matches a diagnostics tool but has several inconsistencies and risky behaviors (un-declared file access, config modification & gateway restart, raw log exfiltration, interactive prompts) that you should review before installing.
评估建议
This skill appears to implement a legitimate diagnostics tool, but review before enabling: (1) inspect scripts/openclaw-diag.sh yourself — it reads ~/.openclaw and /tmp logs and can modify openclaw.json and restart the Gateway; (2) be aware the skill will send raw script output back to the user (may contain PII or secrets); (3) the manifest did not declare the config paths or binary dependencies (python3, openclaw CLI) — that's an inconsistency; (4) advanced mode performs privileged actions and ...详细分析 ▾
⚠ 用途与能力
Name/description match a local diagnostics tool and the included script implements that. However registry metadata claims no required config paths or credentials while the script explicitly reads session files (~/.openclaw, /root/.openclaw, /etc paths) and can modify openclaw.json and restart the Gateway — those resource requirements should have been declared.
⚠ 指令范围
SKILL.md instructs the agent to execute the bundled script and to send the script stdout 'raw' via message(action="send"). The script reads session logs (which can contain full user/tool messages and possibly secrets), system config files, and may write/restore openclaw.json and restart the gateway. It also uses interactive prompts (/dev/tty) which may block in non-interactive agent runs. Sending raw logs back to chat without model filtering can leak sensitive data.
✓ 安装机制
No install spec (instruction-only with a script). Low installation risk because nothing is downloaded or extracted; code is bundled in the skill. Still review the bundled script before use.
⚠ 凭证需求
The skill declares no required env vars or config paths, yet the script accesses multiple system paths (~/.openclaw, /root/.openclaw, /etc/openclaw/openclaw.json, /tmp logs) and requires python3 and an 'openclaw' CLI. The lack of declared file/config access is an inconsistency and reduces transparency about what secrets/data the skill may access.
⚠ 持久化与权限
always:false (good), but the script can modify system config and restart the OpenClaw Gateway (privileged actions). Advanced mode requires interactive confirmation, but the agent could still be scripted to invoke those actions. Combined with autonomous invocation capability, this raises operational risk if the agent runs the skill without a human in the loop.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.72026/3/23
恢复 /root/ + $HOME/ 双路径搜索,兼容 root 和非 root 用户
● 可疑
安装命令 点击复制
官方npx clawhub@latest install openclaw-diag
镜像加速npx clawhub@latest install openclaw-diag --registry https://cn.clawhub-mirror.com
技能文档
指令模式
当用户发送 /diag 指令时,直接执行脚本,不做额外解释:
| 用户输入 | 执行命令 | 说明 |
|---|---|---|
/diag | -s | 今日摘要(默认) |
/diag full | (无-s) | 完整报告(含 Run 详情 + 错误列表) |
/diag full -l 3 | -l 3 | 最近 3 个 Run 完整详情 |
/diag -a waicode | -s -a waicode | 指定 agent 摘要 |
/diag -a main full | -a main | 指定 agent 完整报告 |
/diag 2026-03-19 | -s 2026-03-19 | 指定日期摘要 |
/diag errors | (无-s) | 执行完整报告,只提取错误部分汇总 |
- 无参数时默认
-s(摘要模式,最简洁) full关键词 → 去掉-s,输出含 Run 详情errors关键词 → 执行完整报告,只摘出错误列表-a、-l、日期参数直接透传给脚本- 去除 ANSI 颜色码:管道
| sed 's/\x1b\[[0-9;]m//g' - 不支持
-f(实时跟踪),该模式需在 SSH 终端运行 - 直出模式:脚本输出直接用
message工具原样发送给用户,不经过模型总结。
message(action="send", message=output) 发送原始输出
- 然后回复 NO_REPLY(避免重复发送)
- 如果输出超过 4000 字符,按 4000 字符分段发送(Telegram 消息长度限制)
- 每段用 `` 代码块包裹,保持等宽字体排版自然语言模式
当用户用自然语言询问(如"运行状态怎么样"、"waicode今天干了啥")时,
自行选择合适参数执行脚本,并用中文汇总关键信息。
快速使用
# 诊断今天的数据
bash scripts/openclaw-diag.sh# 诊断指定日期
bash scripts/openclaw-diag.sh 2026-03-19
# 只看摘要
bash scripts/openclaw-diag.sh -s
# 实时跟踪(类似 tail -f)
bash scripts/openclaw-diag.sh -f
# 高级实时跟踪(自动开启 debug 日志,退出时恢复)
bash scripts/openclaw-diag.sh -f --advanced
# 只看指定 agent
bash scripts/openclaw-diag.sh -a waicode
# 最近 5 个 Run
bash scripts/openclaw-diag.sh -l 5
模式说明
模式 参数 说明 摘要统计 -s(默认) KPI 概览,最简洁 完整报告 无 -s 含 Run 详情 + 时间线 + 错误列表 Agent 过滤 -a 只看指定 agent 限制数量 -l N 只显示最近 N 个 Run 指定日期 YYYY-MM-DD 默认今天
参数可组合:-s -a main、-l 3 -a wairesearch。实时跟踪(
-f)和高级模式(--advanced)需在 SSH 终端运行,
详见 references/advanced-mode.md。数据源
脚本有两种数据源,自动切换:
数据源 路径 需要配置 精度 Debug 日志 /tmp/openclaw/openclaw-YYYY-MM-DD.log diagnostics.enabled: true 精确 Run 边界 Session 文件 ~/.openclaw/agents//sessions/*.jsonl 无需配置 虚拟 Run(消息时间戳推算)
无 debug 日志时自动降级为 session 模式,核心指标(推理耗时、Token、工具统计)仍然准确。输出内容
摘要统计
- 模型调用次数、平均推理延迟、Token 吞吐量
- 工具调用次数、成功率、总耗时
- Thinking 统计(次数、平均深度)
- Per-Agent 活动分布
Run 详情(非摘要模式)
- 每个 Run 的时间线(推理段 + 工具调用段)
- 推理耗时、输出 Token、吞吐速率
- 工具调用参数摘要
错误列表
- 最近 20 条错误,按时间倒序
使用指南
日常检查
# 快速了解今天的运行概况
bash scripts/openclaw-diag.sh -s
性能排查
# 查看某天详细 Run 数据,找到慢查询
bash scripts/openclaw-diag.sh 2026-03-19 -l 10
特定 Agent 分析
# 只看 waicode 的活动
bash scripts/openclaw-diag.sh -a waicode -s
实时监控(SSH 终端)
# 需在 SSH 终端运行,不适合 Telegram/聊天
bash scripts/openclaw-diag.sh -f
bash scripts/openclaw-diag.sh -f --advanced
注意事项
- 脚本依赖
python3(3.7+,使用 datetime.fromisoformat)和 bash
高级模式( --advanced)会临时修改 openclaw.json` 并重启 Gateway,退出时自动恢复
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制