by 安全扫描
OpenClaw
可疑
medium confidenceThe package mostly implements what it says (autonomous WordPress ops) but there are mismatches between the declared metadata and what the code/instructions actually require and do; that discrepancy plus persistent/automated behaviors increase risk and deserve manual review before use.
评估建议
This package contains a complete toolchain that can modify WordPress files, install plugins, run WP-CLI, create cron jobs and run continuous monitoring. Before installing or running it:
- Do not run install.sh or monitor/demo scripts on production. Test inside an isolated staging VM or container.
- Inspect install.sh, logs/*.sh and all scripts for subprocess calls and network endpoints; search for subprocess/exec/popen usage.
- Confirm Vault usage: if you will provide VAULT_TOKEN or other se...详细分析 ▾
ℹ 用途与能力
Functionality in the bundle (src/wordpress.py, seo, performance, ab_tester, vault/pipeline/audit, CLI, demos, cron scripts) aligns with the stated purpose of managing and optimizing WordPress sites. However the registry metadata claims no required env vars/configs while the code and SKILL.md clearly expect configuration (VAULT_* env vars, WP_SITES, web-root paths, and optional ClawhHub token). That mismatch is unexpected and should be clarified.
⚠ 指令范围
SKILL.md instructs cloning a repo and running python3 cli.py full-audit and python3 cli.py monitor --continuous, and the demo/quickref recommend cron jobs and status scripts. The CLI and many source files include code that can read site HTML, SSH/WD access (WP-CLI), run WP-CLI fixes, install plugins, and write files. The instructions therefore authorize wide filesystem and network actions (including continuous autonomous monitoring and scheduled tasks) which are consistent with the purpose but very powerful — ensure approval gating and audit behavior are enforced in practice.
ℹ 安装机制
There is no formal install spec in registry (instruction-only), but the skill bundle includes an install.sh, scripts, and many code files. That is not necessarily malicious, but the presence of install scripts and cron recommendations means the package can modify the host environment if executed — review install.sh and any shell scripts before running. The SKILL.md clone URL is a placeholder (http://github.com/YOUR_ORG/auto-company) and some docs reference npx, a package.json and pyproject — multiple ways to install/run exist but none are declared in metadata.
⚠ 凭证需求
Registry metadata declares no required environment variables or config paths, but the code reads and depends on environment variables and secrets (examples: VAULT_ENABLED, VAULT_URL, VAULT_TOKEN, WP_SITES, and a ClawhHub `--token` mention). The config module explicitly looks for VAULT_TOKEN and WP_SITES. Asking for Vault tokens or SSH/web-root access would be proportionate to the claimed capabilities, but the metadata should declare these. The mismatch increases the chance of accidental credential exposure or misconfiguration.
ℹ 持久化与权限
The skill does not request always:true, but instructions and demo scripts encourage running a persistent monitor (python3 cli.py monitor --continuous) and installing cron entries (logs/audit-daily.sh). If run on a host, this creates a persistent agent that can change files and schedule jobs. That is expected for this kind of tool, but it raises operational risk — ensure the Gate pipeline truly blocks destructive operations and audit logging is enabled and reviewed.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/24
Auto-Claw 1.0.0 — Initial Release - Launches autonomous WordPress operations agent with 19 AI-powered capabilities for site management, optimization, and monitoring. - Features include SEO scanning/fixes, performance diagnostics, content auditing, image optimization, A/B testing, GEO targeting, competitor tracking, and dynamic content tools. - Robust security: credentials isolation, approval gates for destructive actions, soft deletes, and full JSONL audit logging. - Unified CLI supports all features, with demo scripts and dashboard included. - Beta available to first 10 D2C brands.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install auto-claw
镜像加速npx clawhub@latest install auto-claw --registry https://cn.clawhub-mirror.com
技能文档
什么 ?
Auto-Claw autonomous AI agent manages WordPress sites 24/7. doesn't 只是 monitor — executes fixes, runs /B tests, 和 optimizes continuously.
Features (19 Capabilities)
AI-Native Site Operations
- SEO Scanner & Fixer — 40+ point audit, WP-CLI fixes, Schema.org injection
- Performance Diagnostic — Core Web Vitals, TTFB, 缓存 analysis
- Content Auditor — E-E--T scoring, readability analysis
- Image Optimizer — Compression analysis, lazy loading checks
Conversion Flywheel
- /B Testing Engine — Bayesian significance, multi-variant
- Exit Intent 弹出框 — Geo-targeted intervention
- Journey Personalizer — Segment-based content
- Smart Landing Pages — High-conversion page generator
- Dynamic FAQ — Schema.org FAQPage generator
Global Operations Center
- GEO Targeting — IP-based dynamic pricing/content
- Competitor Monitor — Price/content 更改 alerts
- Campaign Switcher — Black Friday/618/双11 auto-activation
- AI Content Generator — E-E--T optimized blog posts
Security Architecture
- Vault — Credentials never touch AI context
- Gate Pipeline — Destructive actions require approval
- Soft Deletes — Everything recoverable
- 满 Audit Log — JSONL trail
Requirements
- WordPress 5.8+ (self-hosted)
- PHP 7.4+ / 8.x
- WP-CLI installed
- SSH access (可选, 对于 满 capabilities)
- Redis (可选, 对于 对象 caching)
Installation
# Clone the project
git clone http://github.com/YOUR_ORG/auto-company
cd auto-company/projects/auto-claw# Run full site audit
python3 cli.py full-audit --url http://yoursite.com --web-root /var/www/html
# Start autonomous monitoring
python3 cli.py monitor --continuous
Quick Demo
# 19 capabilities demo (2 minutes)
python3 demo_complete.py# Single capability
python3 cli.py seo
python3 cli.py performance
python3 cli.py ab-test
python3 cli.py competitor
Live 示例
Real WordPress site running Auto-Claw:
- URL: http://linghangyuan1234.dpdns.org
- SEO Score: 85/100
- Performance: 64/100
- /B Tests: 1 活跃
- Competitor Monitor: 3 competitors tracked
Pricing
| Plan | Price | Includes |
|---|---|---|
| Starter | $500/mo | SEO + Performance + Daily Audits |
| Growth | $1,000/mo | + A/B Testing + Competitor + GEO |
| Enterprise | $2,000/mo | All 19 capabilities + AI Content |
Files
auto-claw/
├── cli.py # Unified CLI (19 commands)
├── demo_complete.py # All 19 capabilities demo
├── status.sh # Quick status check
├── dashboard.html # Visual dashboard
├── README.md # Full documentation
├── QUICKREF.md # CLI quick reference
├── src/
│ ├── seo.py
│ ├── performance_diag.py
│ ├── ab_tester.py
│ ├── competitor_monitor.py
│ ├── geo_targeting.py
│ ├── cache_optimizer.py
│ └── ...
└── docs/
├── hn-launch-draft.md # Launch story
├── gtm-outreach-templates.md # Sales templates
└── one-pager.md # Investor one-pager
Security
- Credentials stored 在...中 Vault, never exposed 到 AI
- Destructive actions (删除, core updates) require human approval
- 满 JSONL audit trail
- Soft deletes — nothing permanently removed
使用 Cases
- D2C Brands — Automate SEO, run /B tests, monitor competitors
- WP Agencies — Manage multiple client sites autonomously
- Solo Founders — 获取 "24/7 employee" 对于 WordPress ops
Support
- GitHub Issues: 举报 bugs, 请求 features
- Beta Application: http://yoursite.com/auto-claw-beta-application/
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制