by 安全扫描
OpenClaw
可疑
medium confidenceThe skill behaves like a remote configuration manager (as stated) but trusts a remote kemia instance to push files into your workspace without sanitizing filenames or strongly constraining the remote endpoint—this can enable accidental or malicious overwrite of local files if you connect to an untrusted kemia server.
评估建议
This skill does what it says (sync a local OpenClaw workspace to a kemia deployment and import edited snapshots), but it assumes the kemia endpoint is trusted. Before connecting: (1) only use kemia instances you trust; avoid connecting to unknown or public kemia URLs you didn't provision yourself; (2) review the scripts if you plan to connect to a third-party kemia—import.sh writes files returned by the server directly into your workspace without validating filenames (risk of overwrite or path t...详细分析 ▾
ℹ 用途与能力
Name/description match the implemented actions: enrolling, exporting workspace .md files, checking status, generating login links, and importing deploy-ready snapshots. The scripts and API reference align with the stated purpose. Minor trust gap: skill source/homepage are missing from registry metadata, reducing external verifiability.
⚠ 指令范围
Scripts read and write files in the user's workspace root (e.g., SOUL.md, IDENTITY.md, etc.) and will import whatever filenames and contents the kemia API returns. Import writes directly to ${WORKSPACE}/${FILENAME} without sanitizing or validating filenames (no path traversal checks). That means a malicious or misconfigured kemia instance could cause arbitrary files to be written or overwritten in your workspace. The connect flow requires a human-confirmed enrollment URL, which reduces automatic exfil risk, but the import step trusts a remote snapshot wholesale.
✓ 安装机制
No install spec—skill is instruction-only but includes shell scripts bundled in the package. Nothing in the package pulls remote code or runs unverified downloads. Scripts rely on jq and curl, which are common and called locally (scripts check for jq).
✓ 凭证需求
The skill requests no environment variables or external credentials up-front; it stores an API key returned by the enrollment flow in ~/.openclaw/workspace/skills/kemia/config.json (chmod 600). The requested access (read/write to workspace files) is proportional to its purpose, but it implicitly requires trusting the remote kemia instance.
✓ 持久化与权限
The skill is not force-enabled (always: false) and does not request elevated platform privileges. It stores its own config under the per-workspace skills directory; autonomous invocation is allowed (platform default) but not exceptional here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/4/14
test
● 可疑
安装命令
点击复制官方npx clawhub@latest install kemia
镜像加速npx clawhub@latest install kemia --registry https://cn.longxiaskill.com