openclaw
本页为离线静态分析自动生成;分数为信号驱动启发式,请结合证据与人工复核使用。
项目概况
- 名称:
openclaw - 版本:
2026.3.3 - Git HEAD:
4bd3469324e8 - 最近提交:
2026-03-05T10:10:09+05:30 - 许可证:
LICENSE - 语言: TypeScript(5553), Markdown(807), Swift(575), JSON(127), Kotlin(113), Shell(58)
评分(0-10)
| 维度 | 分数 | 等级 |
|---|---|---|
| 代码质量 | 6.0 | 🔵 良好 |
| 可维护性 | 5.0 | 🟡 一般 |
| 健壮性 | 5.0 | 🟡 一般 |
| 可持续性 | 8.5 | 🟢 优秀 |
| 可迁移性 | 3.5 | 🟠 较弱 |
| 综合 | 5.6 | 🟡 一般 |
工程信号
CI / 测试
- CI: 8 个 workflow
.github/workflows/auto-response.yml,.github/workflows/ci.yml,.github/workflows/docker-release.yml,.github/workflows/install-smoke.yml,.github/workflows/labeler.yml,.github/workflows/sandbox-common-smoke.yml…
- CI 操作系统: linux, macos, windows
- Docker: 有
- 测试信号:
dir:test/,file:extensions/acpx/src/config.test.ts,file:extensions/acpx/src/ensure.test.ts,file:extensions/acpx/src/runtime.test.ts,file:extensions/acpx/src/service.test.ts,file:extensions/bluebubbles/src/accounts.test.ts,file:extensions/bluebubbles/src/actions.test.ts,file:extensions/bluebubbles/src/attachments.test.ts…
代码质量工具
- Lint / 格式化: file:.oxfmtrc.jsonc, file:.oxlintrc.json, file:pyproject.toml, script:check, script:format, script:lint, script:test
- 类型检查: file:tsconfig.json
- 校验库: node:@sinclair/typebox, node:ajv, node:zod
安全与治理
- 安全文档: 有
- 安全扫描: file:.github/dependabot.yml
- 治理: dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
架构与发布
- 插件/Provider 结构: dir:src/plugins/, dir:src/providers/
- 发布信号: ci-file:.github/workflows/docker-release.yml, ci:publish:.github/workflows/auto-response.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/docker-release.yml, ci:release:.github/workflows/stale.yml, ci:release:.github/workflows/workflow-sanity.yml
技术栈与依赖
- Node: name=
openclawtype=modulelockfile=pnpm-lock.yaml- deps:
@agentclientprotocol/sdk,@aws-sdk/client-bedrock,@buape/carbon,@clack/prompts,@discordjs/voice,@grammyjs/runner,@grammyjs/transformer-throttler,@grammyjs/types,@homebridge/ciao,@line/bot-sdk,@lit-labs/signals,@lit/context,@lydell/node-pty,@mariozechner/pi-agent-core,@mariozechner/pi-ai,@mariozechner/pi-coding-agent…
- deps:
- Python: requirements=
Falselock_signal=None
评分依据(信号 → 证据)
代码质量
- +2 CI: 8 workflow(s) (≥6)
- +3 tests: 1886 signal(s), density 30% (≥20%)
- +2 lint/format: 7 signal(s) — file:.oxfmtrc.jsonc, file:.oxlintrc.json, file:pyproject.toml, script:check, script:format, script:lint
- +1.5 typecheck: file:tsconfig.json
- -1.5 high-density risky code patterns (96 hits)
- -1 many oversized files (101 files >1000 lines)
可维护性
- -1.5 no README detected
- +1 docs dirs: docs/
- +1 CHANGELOG present
- +2 strong governance (3 signals): dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
- +1 lockfile: pnpm-lock.yaml
- +1 CI present
- +0.5 monorepo management: pnpm-workspace
健壮性
- +2.5 good test coverage (density 30%)
- +1 config signals: dir:docs/, file:.env.example
- +1 security docs present
- +1 validation libs: node:@sinclair/typebox, node:ajv, node:zod
- +1 CI present
- -1.5 high-density risky code patterns (96 hits)
可持续性
- +1 license present
- +1 version: 2026.3.3
- +1 CHANGELOG present
- +0.5 security docs present
- +1 security scans: file:.github/dependabot.yml
- +1 release signals: ci-file:.github/workflows/docker-release.yml, ci:publish:.github/workflows/auto-response.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/docker-release.yml, ci:release:.github/workflows/stale.yml, ci:release:.github/workflows/workflow-sanity.yml
- +1 tags: 69 tag(s) (≥20)
- +2 very recent commit (≤7d)
可迁移性
- +2 Docker present
- +1.5 CI multi-OS (3): linux, macos, windows
- +1 plugin/provider structure (signals): dir:src/plugins/, dir:src/providers/
- -1 platform components: apps/macos/, apps/ios/, apps/android/
安全与风险信号(静态扫描)
疑似凭据(已编辑)
OpenAI Keyatextensions/diagnostics-otel/src/service.test.ts:321value=***已编辑***OpenAI Keyatextensions/diagnostics-otel/src/service.test.ts:325value=***已编辑***GitHub PATatextensions/diagnostics-otel/src/service.test.ts:332value=***已编辑***GitHub PATatextensions/diagnostics-otel/src/service.test.ts:338value=***已编辑***GitHub PATatextensions/diagnostics-otel/src/service.test.ts:352value=***已编辑***GitHub PATatextensions/diagnostics-otel/src/service.test.ts:365value=***已编辑***OpenAI Keyatsrc/agents/openclaw-tools.sessions.test.ts:384value=***已编辑***OpenAI Keyatsrc/agents/openclaw-tools.sessions.test.ts:412value=***已编辑***OpenAI Keyatsrc/agents/openclaw-tools.sessions.test.ts:418value=***已编辑***GitHub PATatsrc/agents/model-auth-label.test.ts:35value=***已编辑***- …及其余 28 条(详见原始 JSON)
高风险模式(需人工复核)
curl|bash (code)atDockerfile:17curl|bash (code)atDockerfile.sandbox-common:29child_process.exec (code)atscripts/release-check.ts:3child_process.exec (code)atscripts/release-check.ts:126curl|bash (code)atscripts/test-install-sh-docker.sh:72curl|bash (code)atscripts/install.sh:5curl|bash (code)atscripts/install.sh:1006curl|bash (code)atscripts/install.sh:1036curl|bash (code)atscripts/install.sh:1037curl|bash (code)atscripts/install.sh:1038- …及其余 86 条 code 类
- 文档中的风险模式:91 条(
curl|bash等安装指引,通常为预期行为)
改进建议
- 审计高风险执行路径(
eval/exec/shell=True/curl|bash等):最小权限、输入验证、隔离执行。 - 若目标是跨平台:梳理平台绑定点,明确支持矩阵并提供替代实现或降级策略。