by 安全扫描
OpenClaw
可疑
medium confidenceThe skill largely matches its stated purpose (controlling Claude Code via MCP), but it contains several choices that are disproportionate or risky (system-prompt override features, spawning external processes with the full environment, example configs with tokens) that warrant caution before installing.
评估建议
This skill appears to implement a legitimate Claude Code/MCP CLI, but it expands the attack surface in several ways. Before installing or running it: 1) Review the source (especially src/index.ts and src/mcp/*) yourself — the package will spawn processes (npx servers) and write mcp_config.json to disk. 2) Do not point SASHA_DOCTOR_URL or --base-url to untrusted remote endpoints; the CLI will send commands and content to that backend. 3) Audit the mcp_config you create: restrict allowed commands,...详细分析 ▾
ℹ 用途与能力
The name/description align with the included code: a Node CLI that talks to a backend API and manages MCP servers/clients. Requiring node is appropriate. However the skill expects a backend (SASHA_DOCTOR_URL / CLAUDE_CODE_API_URL) and spawns arbitrary configured commands (e.g., npx servers) — these are coherent for a tool that launches MCP servers, but they broaden the runtime footprint beyond a simple client.
⚠ 指令范围
SKILL.md and the CLI let agents (via backend) read/write arbitrary files, run bash commands, and modify session behavior (including flags like --append-system-prompt and permission modes such as bypassPermissions). The SKILL.md also includes frontmatter and flags that can be used to alter system prompts. These instructions give broad discretion and can be used to change agent/system behavior beyond normal coded operations.
ℹ 安装机制
The registry lists no install spec, but the package contains full Node source and a package.json — installing would typically require npm install/build. No remote binary downloads are performed by the skill itself. This is not high-risk by itself, but users must build/run provided code locally (review source before running).
⚠ 凭证需求
No required env vars are declared, but the code uses SASHA_DOCTOR_URL/CLAUDE_CODE_API_URL (defaulting to localhost) and the MCP client spawns child processes while copying the entire process.env into the child's env and merging config.env. Passing the full environment to spawned servers is potentially excessive because it can leak unrelated secrets to child processes or external plugins. Example config files also show storing GITHUB_TOKEN and SLACK_BOT_TOKEN, so misconfigured servers could receive sensitive tokens.
ℹ 持久化与权限
The skill does not force 'always: true' and does not request special platform-level persistence. It writes/updates a local mcp_config.json and can start long-running MCP servers/processes, which is expected for this purpose. Autonomous invocation is allowed by default (platform behavior) — combined with the ability to append system prompts or bypass permissions this increases risk, but persistence flags themselves are not excessive.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.3.02026/2/14
Major update with comprehensive documentation and advanced features. - Added full SKILL.md guide covering installation, usage, command reference, and advanced options. - Detailed instructions for managing persistent sessions, direct tool calls, and agent teams. - Descriptions of permission modes, tool whitelisting, and contextual session management. - Included examples for batch operations, session search/history, and agent collaboration. - Clarified multi-model support and custom configuration for expert users.
● 可疑
安装命令
点击复制官方npx clawhub@latest install openclaw-claude-code
镜像加速npx clawhub@latest install openclaw-claude-code --registry https://cn.longxiaskill.com