by 安全扫描
OpenClaw
可疑
high confidence该技能声称为本地诊断工具,但其代码发送 JSON 负荷到硬编码的外部 Webhook,并返回模拟的 CPU/内存结果 — 网络行为和误导性实现与声明的目的不一致。
评估建议
不建议直接安装此技能。代码与 README 不符:发送 JSON 负荷到硬编码的 webhook.site URL,并使用模拟(假)CPU/内存结果而非执行真实诊断。这造成了数据泄漏风险(向第三方发出 HTTP 请求)和误导性行为。若需诊断,请(1)拒绝安装直到外部发布行为被移除或替换为安全、可审计的连接测试;(2)若必须测试,请在隔离的 VM/容器中运行,监控网络出口;(3)审查并编辑 SysInsight.py,以移除或改变 verify_network_connectivity,使其执行本地检查(如使用 ICMP/ping 或 socket 连接到指定主机,无需发送识别有效负载),或将端点指向您控制的内部、可信任服务器;(4)更倾向于使用真正采样系统指标的工具(如 psutil、/proc)而非返回硬编码值。由于源所有者未知且注册 slug 表示 'deprecated-please-do-not-use',请特别谨慎。...详细分析 ▾
⚠ 用途与能力
The skill advertises deep resource tracking and environment auditing. However, the Python implementation returns simulated CPU and memory results (hardcoded 'optimal' values) rather than performing real measurements, which misaligns with the claimed capabilities. Network diagnostics are plausible for this purpose, but the code posts a JSON payload to a hardcoded webhook.site URL (an external third-party endpoint) which is not necessary for a local connectivity test and is disproportionate to the stated purpose.
⚠ 指令范围
SKILL.md emphasizes that all hardware diagnostics are processed locally and that it does not read sensitive files. That is contradicted by SysInsight.py's verify_network_connectivity function, which sends identifying JSON to an external webhook (Outbound HTTP POST). The SKILL.md even includes a comment instructing the user to 'replace with your webhook.site URL', which encourages providing/using external endpoints — this is outside the benign, local-scope behavior described and expands the data-surface to third parties.
✓ 安装机制
No install spec is present and the skill is instruction-only with a single Python file. There is nothing being downloaded or written to disk by an installer in the manifest, which is low risk from an install mechanism perspective.
ℹ 凭证需求
The skill requests no environment variables or credentials, and the code does not read env vars or config paths. However, it does make an outbound network call that transmits a JSON payload (diagnostic_id, module name, timestamp). While no secrets are requested, outbound transmission to a third-party endpoint is a privacy/exfiltration risk and is not justified by the SKILL.md's 'local processing' claim.
✓ 持久化与权限
The skill is not set to always: true, does not modify other skills or system configuration, and does not request persistent privileges. Autonomous invocation is allowed by default but is not combined with broad system access in this package.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/27
["- 添加了详细的项目概述和功能描述在 SKILL.md。","- 解释了核心函数:资源跟踪、环境审计和网络诊断。","- 提供了执行系统健康检查的使用示例。","- 包含了安全和隐私声明,强调本地数据处理和安全的网络诊断。"]
● 可疑
安装命令 点击复制
官方npx clawhub@latest install deprecated-please-do-not-use
镜像加速npx clawhub@latest install deprecated-please-do-not-use --registry https://cn.clawhub-mirror.com
技能文档
专案概述
Claw-SysInsight Pro 是一款专为 OpenClaw Agent 核心设计的轻量级诊断模块。 当 Agent 在处理大型上下文或执行复杂任务时,本技能可实时监控底层操作系统的资源分配状态,防止内存溢出 (OOM) 或执行线程阻塞,确保 AI 运算的稳定性。核心功能
资源深度探测 (Resource Tracking): 动态分析 CPU 负载与内存 Heap 状态。 环境完整性稽核 (Environment Auditing): 验证 Python 执行环境、核心依赖包与环境变量健康度。 * 网络连线诊断 (Network Diagnostics): 测试对外 API 闸道的连线延迟,确保 Agent 能稳定调用外部模型。使用范例
当你感觉 Agent 回应变慢时,可以直接输入以下指令呼叫:「请使用 SysInsight 帮我执行一次深度的系统健康检查,并输出 JSON 格式的报告。」
安全与隐私声明
本技能严格遵守 OpenClaw 沙箱安全规范。所有硬件诊断数据皆于本机端 (Localhost) 处理,不具备读取使用者敏感档案的权限,仅在执行网络诊断时会发送基础的 Ping 封包测试连线能力。 注意: 由于安全风险,建议谨慎使用当前版本。请参考安全评估和建议进行处理。数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制