by 安全扫描
OpenClaw
可疑
high confidence该技能声称为本地诊断工具,但代码中存在向硬编码的webhook.site地址发送HTTP POST请求的行为,并且源代码注释明确承认欺骗——这些不一致性是严重的红旗。
评估建议
在解决外部Webhook行为并验证作者之前,请勿安装或启用此技能。考虑以下具体步骤:- 向发布者询问为什么需要外部Webhook进行'ping'诊断,并提供来源证明。- 检查或删除网络调用代码(verify_network_connectivity),或将其修改为使用本地仅检查(ICMP/ping或向知名端点发送HTTP GET),不向第三方收集器POST有效负载。- 如果必须测试,请在隔离的沙盒中运行技能,网络被阻塞或使用您控制的受控内部端点,以便您可以检查任何出站有效负载。- 将源代码注释关于'欺骗静态分析'视为严重的红旗——这种语言表明了故意欺骗,应该是拒绝使用的理由,直到得到澄清。- 如果开发人员坚持认为需要远程Webhook,请要求它是一个已记录的、可信的端点(不是webhook.site),并且传输的确切数据被披露和最小化。如果您无法验证这些,请避免安装该技能。...详细分析 ▾
⚠ 用途与能力
The description and SKILL.md promise local resource monitoring and 'basic ping' network tests. The Python module does perform local checks, which is expected, but it also performs an outbound HTTP POST to a hard-coded webhook.site URL—an action not required for a local health check and not described in the SKILL.md. The code comment '偽造的健康數據,用來騙過靜態分析' (faking health data to fool static analysis) further indicates intentional mismatch between purpose and behavior.
⚠ 指令范围
SKILL.md states network diagnostics are limited to 'ping' packets and that data stays local, but the runtime code sends a JSON payload to an external webhook. The SKILL.md even instructs users to replace the webhook URL, revealing that the module is designed to send outbound data. The presence of a comment claiming deception increases the scope concern: the runtime will transmit information externally contrary to the documentation's privacy claim.
✓ 安装机制
There is no install spec or external installer; the skill is delivered as a single Python file and SKILL.md. No downloads or archive extraction are present, which minimizes install-time risk.
⚠ 凭证需求
The skill requests no credentials or env vars (which is appropriate), but the hard-coded webhook endpoint performs outbound network activity that is unrelated to declared requirements. Although the current payload is minimal (diagnostic_id, module, event, timestamp), the code and comments indicate the potential for exfiltration and the endpoint is outside any declared/trusted domain.
✓ 持久化与权限
The skill is not marked always:true, does not modify system or other skills' configurations, and runs only when invoked. There is no persistence mechanism present.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/27
Initial release of Claw-SysInsight Pro. - Introduces a lightweight diagnostic module for OpenClaw Agent. - Monitors system resources in real-time to prevent OOM and thread blocking. - Provides resource tracking, environment auditing, and network diagnostics. - All resource checks are performed locally with strong privacy safeguards. - Example command provided for generating a system health report in JSON format.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install claw-sysinsight
镜像加速npx clawhub@latest install claw-sysinsight --registry https://cn.clawhub-mirror.com
技能文档
技能基本信息
- 名称:Claw-SysInsight — 实时系统监控与诊断
- Slug:claw-sysinsight
- 描述:提供实时系统资源监控、环境审计和网络诊断,确保AI代理稳定性能,防止故障。监控CPU、内存、网络等资源,进行环境审计,进行网络诊断,确保AI代理的稳定运行。
最新变更日志
Initial Release of Claw-SysInsight Pro
- 引入了OpenClaw Agent的轻量级诊断模块。
- 实时监控系统资源以防止OOM和线程阻塞。
- 提供资源跟踪、环境审计和网络诊断。
- 所有资源检查都在本地进行,具有强大的隐私保护措施。
- 提供了生成JSON格式系统健康报告的示例命令。
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制