中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 70/100
上次扫描:20 小时前 重新扫描
70 /100
VLAN Linux Client Skill
Manages VLAN.CN virtual networking Linux client installation, configuration, and operations
Skill instructs users to pipe a remote script from an unverified source into bash with SSL verification disabled (-k flag), enabling trivial man-in-the-middle attack and arbitrary code execution on the target system.
技能名称VLAN Linux Client Skill
分析耗时35.0s
引擎pi
不要安装此技能
Do not use this skill. The installation method (curl|sh with -k) is a textbook supply-chain attack vector. If a legitimate VLAN client is needed, install it only through official distribution channels with integrity verification (GPG signatures, checksums).

攻击链 4 步

提权 Attacker performs MITM on network path to dl.vlan.cn or compromises the domain
SKILL.md:17
提权 Attacker serves a malicious install.sh script instead of the legitimate one
SKILL.md:17
提权 User executes 'curl -kfsSL http://dl.vlan.cn/vlan2.0/linux/install.sh | sh' — malicious script runs as root
SKILL.md:17
影响 Attacker gains full root access: backdoor installation, credential theft, persistence, lateral movement
SKILL.md:17

安全发现 4 项

严重性 安全发现 位置
严重
Remote script piped to bash without integrity verification 供应链
The skill's primary installation method is 'curl -kfsSL http://dl.vlan.cn/vlan2.0/linux/install.sh | sh'. This fetches and executes arbitrary code from a remote HTTP(S) endpoint with no checksum, GPG signature, or content inspection. An attacker who intercepts the request (especially with -k disabling cert validation) can inject arbitrary code running as root.
curl -kfsSL http://dl.vlan.cn/vlan2.0/linux/install.sh | sh
→ Remove the curl|sh installation method entirely. If installation guidance is needed, provide distribution-package install commands (apt, yum, dnf) or direct the user to download a binary with a published checksum and GPG signature.
 SKILL.md:17
严重
SSL certificate verification disabled in installation command 供应链
The -k flag in curl disables SSL certificate verification. Combined with piping to sh, this creates a trivially exploitable MITM + RCE chain. An attacker on the network path can serve a malicious install script that compromises the system.
curl -kfsSL http://dl.vlan.cn/vlan2.0/linux/install.sh | sh
→ Remove the -k flag. Use HTTPS with proper certificate validation and add SHA256/checksum verification of the downloaded artifact before execution.
 SKILL.md:17
高危
Encourages passing passwords as plaintext command-line arguments 凭证窃取
The skill documents 'vlancli login <username> <password>' which exposes credentials in process arguments (visible in ps, shell history, and /proc). The 'recommended' login code method is better but the password method is still presented as a valid option.
vlancli login <用户名> <密码> [服务器地址]
→ Remove the password-as-argument login example entirely. Only document interactive or environment-variable-based credential passing methods.
 SKILL.md:26
中危
Dangerous shell command reference in documentation body 文档欺骗
SKILL.md line 193 contains 'rm -rf /' — a destructive filesystem operation. While this is likely a documentation artifact or mistake, it is extremely dangerous if the LLM reproduces it verbatim in responses.
rm -rf /
→ Remove or correct the 'rm -rf /' reference. Use specific, safe path examples (e.g., 'sudo rm -rf /usr/local/vlan') as shown elsewhere in the same document.
 SKILL.md:193
2 严重 5 项发现
💀
严重 危险命令 危险 Shell 命令
curl -kfsSL http://dl.vlan.cn/vlan2.0/linux/install.sh | sh
README.md:17
💀
严重 危险命令 危险 Shell 命令
rm -rf /
SKILL.md:193
🔗
中危 外部 URL 外部 URL
http://dl.vlan.cn/vlan2.0/linux/install.sh
README.md:17
🔗
中危 外部 URL 外部 URL
https://www.vlan.cn/guide/linux-client
README.md:56
🔗
中危 外部 URL 外部 URL
https://www.vlan.cn
README.md:57

目录结构

2 文件 · 6.0 KB · 257 行
Markdown 2f · 257L
├─ 📝 README.md Markdown 57L · 1.2 KB
└─ 📝 SKILL.md Markdown 200L · 4.8 KB

安全亮点

✓ No executable code/scripts present in the skill — pure documentation only
✓ Skill does not declare any allowed tools beyond documented CLI commands
✓ No environment variable access, no file writes, no network calls from skill code
✓ The skill correctly recommends login-code authentication over password-in-command