Claw.md

Appearance

openclaw

本页为离线静态分析自动生成;分数为信号驱动启发式,请结合证据与人工复核使用。

项目概况

  • 名称: openclaw
  • 版本: 2026.2.23
  • Git HEAD: 097a6a83a018
  • 最近提交: 2026-02-24T14:49:59+05:30
  • 许可证: LICENSE
  • 语言: TypeScript(4603), Markdown(797), Swift(513), JSON(119), Kotlin(77), Shell(54)

README 摘要

OpenClaw is a personal AI assistant you run on your own devices. It answers you on the channels you already use (WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, WebChat), plus extension channels like BlueBubbles, Matrix, Zalo, and Zalo Personal. It can speak and listen on macOS/iOS/Android, and can render a live Canvas you control. The Gateway is just the control plane — the product is the assistant.

评分(0-10)

维度分数
代码质量7.0
可维护性6.5
健壮性5.0
可持续性8.5
可迁移性3.5
综合6.1

工程信号

CI / 测试

  • CI: 8 个 workflow
    • .github/workflows/auto-response.yml, .github/workflows/ci.yml, .github/workflows/docker-release.yml, .github/workflows/install-smoke.yml, .github/workflows/labeler.yml, .github/workflows/sandbox-common-smoke.yml
  • CI 操作系统: linux, macos, windows
  • Docker: 有
  • 测试信号: dir:test/, file:extensions/bluebubbles/src/actions.test.ts, file:extensions/bluebubbles/src/attachments.test.ts, file:extensions/bluebubbles/src/chat.test.ts, file:extensions/bluebubbles/src/config-schema.test.ts, file:extensions/bluebubbles/src/media-send.test.ts, file:extensions/bluebubbles/src/monitor-normalize.test.ts, file:extensions/bluebubbles/src/monitor.test.ts

代码质量工具

  • Lint / 格式化: file:.oxfmtrc.jsonc, file:.oxlintrc.json, file:pyproject.toml, script:check, script:format, script:lint, script:test
  • 类型检查: file:tsconfig.json
  • 校验库: node:@sinclair/typebox, node:ajv, node:zod

安全与治理

  • 安全文档: 有
  • 安全扫描: file:.github/dependabot.yml
  • 治理: dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md

架构与发布

  • 插件/Provider 结构: dir:src/plugins/, dir:src/providers/
  • 发布信号: ci-file:.github/workflows/docker-release.yml, ci:publish:.github/workflows/auto-response.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/docker-release.yml, ci:release:.github/workflows/stale.yml, ci:release:.github/workflows/workflow-sanity.yml

技术栈与依赖

  • Node: name=openclaw type=module lockfile=pnpm-lock.yaml
    • deps: @agentclientprotocol/sdk, @aws-sdk/client-bedrock, @buape/carbon, @clack/prompts, @discordjs/voice, @grammyjs/runner, @grammyjs/transformer-throttler, @grammyjs/types, @homebridge/ciao, @larksuiteoapi/node-sdk, @line/bot-sdk, @lit-labs/signals, @lit/context, @lydell/node-pty, @mariozechner/pi-agent-core, @mariozechner/pi-ai
  • Python: requirements=False lock_signal=None

评分依据(信号 → 证据)

代码质量

  • +2 CI: 8 workflow(s)
  • +2.5 tests: 1471 signal(s)
  • +2 lint/format: file:.oxfmtrc.jsonc, file:.oxlintrc.json, file:pyproject.toml, script:check, script:format, script:lint
  • +1.5 typecheck: file:tsconfig.json
  • -1 risky code patterns present (review needed)

可维护性

  • +1 README present
  • +1 docs dirs: docs/
  • +1 CHANGELOG present
  • +1.5 governance: dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
  • +1 lockfile: pnpm-lock.yaml
  • +1 CI present

健壮性

  • +2 tests present
  • +1 config signals: dir:docs/, file:.env.example
  • +1 security docs present
  • +1 validation libs: node:@sinclair/typebox, node:ajv, node:zod
  • +1 CI present
  • -1 risky code patterns present (review needed)

可持续性

  • +1 license present
  • +1 version: 2026.2.23
  • +1 CHANGELOG present
  • +0.5 security docs present
  • +1 security scans: file:.github/dependabot.yml
  • +1 release signals: ci-file:.github/workflows/docker-release.yml, ci:publish:.github/workflows/auto-response.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/docker-release.yml, ci:release:.github/workflows/stale.yml, ci:release:.github/workflows/workflow-sanity.yml
  • +1 tags: 60 tag(s)
  • +2 recent commit (≤30d)

可迁移性

  • +2 Docker present
  • +1 CI multi-OS: linux, macos, windows
  • +0.5 README multi-OS hints: android, macos
  • +1 plugin/provider structure (signals): dir:src/plugins/, dir:src/providers/
  • -1 platform components: apps/macos/, apps/ios/, apps/android/

安全与风险信号(静态扫描)

疑似凭据(已编辑)

  • OpenAI Key at extensions/diagnostics-otel/src/service.test.ts:319 value=***已编辑***
  • OpenAI Key at extensions/diagnostics-otel/src/service.test.ts:323 value=***已编辑***
  • GitHub PAT at extensions/diagnostics-otel/src/service.test.ts:330 value=***已编辑***
  • GitHub PAT at extensions/diagnostics-otel/src/service.test.ts:336 value=***已编辑***
  • GitHub PAT at extensions/diagnostics-otel/src/service.test.ts:350 value=***已编辑***
  • GitHub PAT at extensions/diagnostics-otel/src/service.test.ts:363 value=***已编辑***
  • OpenAI Key at src/agents/openclaw-tools.sessions.test.ts:339 value=***已编辑***
  • OpenAI Key at src/agents/openclaw-tools.sessions.test.ts:367 value=***已编辑***
  • OpenAI Key at src/agents/openclaw-tools.sessions.test.ts:373 value=***已编辑***
  • Slack Token at src/slack/monitor/media.test.ts:46 value=***已编辑***
  • …及其余 22 条(详见原始 JSON)

高风险模式(需人工复核)

  • curl|bash (code) at Dockerfile:4
  • curl|bash (code) at Dockerfile.sandbox-common:29
  • child_process.exec (code) at scripts/release-check.ts:3
  • child_process.exec (code) at scripts/release-check.ts:34
  • curl|bash (code) at scripts/test-install-sh-docker.sh:72
  • child_process.exec (code) at scripts/update-clawtributors.ts:1
  • child_process.exec (code) at scripts/update-clawtributors.ts:228
  • child_process.exec (code) at scripts/write-build-info.ts:1
  • child_process.exec (code) at scripts/write-build-info.ts:26
  • child_process.exec (code) at scripts/docker/install-sh-e2e/run.sh:45
  • …及其余 77 条 code 类
  • 文档中的风险模式:95 条(curl|bash 等安装指引,通常为预期行为)

改进建议

  • 审计高风险执行路径(eval/exec/shell=True/curl|bash 等):最小权限、输入验证、隔离执行。
  • 若目标是跨平台:梳理平台绑定点,明确支持矩阵并提供替代实现或降级策略。

离线静态分析 · 信号驱动启发式评分 · 不使用外部平台指标