by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing or running this skill: 1) Inspect config.yaml and remove any real credentials—do not keep plaintext passwords or private keys in the skill folder. Replace them with references to environment variables or an external secret manager. 2) Confirm that you explicitly consent to any SSH connections the skill will make and restrict connections to only authorized hosts. 3) Review the 'local_temp_dir' and ensure downloaded logs are stored in a controlled location, rotated, and deleted w...详细分析 ▾
⚠ 用途与能力
The skill's behavior (connect over SSH, read a sibling config.yaml for connection info and log paths, download log snippets to local temp) aligns with the stated purpose. However, config.yaml includes an explicit 'connections' entry with a plaintext password (username: root, password: password) while the skill declares no required credentials or environment variables. That mismatch (embedded credentials in shipped config but no declared required secrets) is incoherent and risky.
ℹ 指令范围
SKILL.md narrowly defines a safe workflow (remote pre-checks, minimal downloads, do not modify remote files unless requested). It explicitly tells the agent to read local config.yaml and reference.md first, then perform SSH checks and fetch snippets to local temp. This stays within the expected scope, but the instructions allow downloading arbitrary log files (which can contain sensitive data) and say 'do not auto-delete downloaded logs' by default—this can create persistent copies of sensitive data if not managed. The guidance to prefer environment-managed credentials is present, but the shipped config contradicts that.
✓ 安装机制
Instruction-only skill with no install spec or code files. That minimizes supply-chain risk since nothing is downloaded or executed by an installer.
⚠ 凭证需求
The skill requires SSH access to remote hosts to fulfill its purpose, but the registry metadata declares no required credentials or environment variables. The included config.yaml contains a 'connections' entry with plaintext credentials (host, username, password). Shipping sample (or placeholder) credentials is common, but presence of plaintext credentials in the skill bundle is a red flag: it either (a) encourages storing secrets in files, or (b) could contain real credentials accidentally. The skill does advise using env vars or key files, but does not enforce or declare that requirement.
✓ 持久化与权限
The skill is not always-enabled, does not request system-wide changes, and does not modify other skills' configs. Autonomous invocation is allowed (platform default); combined with SSH capability this increases blast radius, but autonomy alone is expected and not flagged by itself.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/20
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install server-log-analysis-en
镜像加速npx clawhub@latest install server-log-analysis-en --registry https://cn.longxiaskill.com