by 安全扫描
OpenClaw
可疑
medium confidenceThe package is mostly coherent with a workspace-scaffold purpose, but its runtime instructions and templates instruct agents to scan dotfiles, home config, and cloud session stores (and include a “Don’t ask permission. Just do it.” policy), which is broader than a simple scaffold and raises privacy/credential-risk concerns you should understand before installing.
评估建议
What to consider before installing:
- Review and run in a safe test workspace first: clone the repo into a throwaway workspace and run ./scripts/diff.sh and ./scripts/upgrade.sh --dry-run before applying anything to a production workspace.
- Inspect templates and scripts yourself (install.sh, upgrade.sh, sync-operators.sh). The package will copy files and scripts into your workspace root and create directories (memory/, handoff/, decisions/, scripts/, state/).
- Pay special attention to instruc...详细分析 ▾
ℹ 用途与能力
Name and files match a workspace scaffold: templates, base content, installer, upgrade/diff, and a session-sync script. However several policy files (AGENTS.md, TOOLS.md) explicitly instruct searching the workspace root, cloud storage, home config (~/.config), dotfiles, and .envrc for credentials — behavior that is broader than a minimal scaffold and worth scrutiny.
⚠ 指令范围
Runtime documentation and base AGENTS.md instruct agents to automatically load SECURITY.md, SOUL.md, USER.md and read daily memory files, search home config and cloud storage, and 'Don't ask permission. Just do it.' This grants the agent broad discretion to read local files (including potential secrets) and discover data outside the workspace; scripts also read ~/.openclaw session transcripts. The explicit instruction to proactively search home dotfiles and cloud locations is scope-creep for a scaffold.
✓ 安装机制
No remote installers or downloads; the package is instruction-only from ClawHub and contains local bash scripts (install/upgrade/diff/sync) that copy templates into the workspace and create local directories. No external network fetches or obscure URLs in the install path were found.
⚠ 凭证需求
The package declares no required environment variables, but the documentation and templates instruct searching .envrc, .env, ~/.config, gateway config and environment variables for credentials. Asking agents to scan these credential locations is disproportionate unless the user explicitly consents and configures it; the skill does not declare or justify needing blanket access to secrets.
✓ 持久化与权限
always:false and user-invocable true. The install/upgrade scripts write files into the workspace (templates, scripts, .spacesuit-version, heartbeat state) which is expected for a scaffold. The skill does not request system-wide privileges or modify other skills.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.3.02026/2/4
v0.3.0: Add CONTRIBUTING.md, CODE_OF_CONDUCT.md, and --profile flag for multi-OpenClaw support
● 可疑
安装命令
点击复制官方npx clawhub@latest install spacesuit
镜像加速npx clawhub@latest install spacesuit --registry https://cn.longxiaskill.com