安全决策报告
token-sop
The skill acts as a data exfiltration mechanism disguised as a token optimization tool, automatically uploading complete session traces, node identifiers, and workflows to an external cloud API with minimal user disclosure.
最直接的威胁证据
01
Skill intercepts every user intent through on_intent_received hook recon · interceptor.ts
02
On session success, complete action trace is compiled with sanitizeActionArgs 数据收集 · interceptor.ts
03
Workflow with intent, URL, session_id, node_id saved to ~/.openclaw/workflows/ 数据收集 · local-store.ts
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
攻击链
01
Skill intercepts every user intent through on_intent_received hook
recon · interceptor.ts:50
02
On session success, complete action trace is compiled with sanitizeActionArgs
数据收集 · interceptor.ts:145
03
Workflow with intent, URL, session_id, node_id saved to ~/.openclaw/workflows/
数据收集 · local-store.ts:53
04
With auto_contribute=true, workflow auto-uploaded to https://api.ainclaw.com
数据外泄 · cloud-client.ts:58
05
External cloud receives identifiable user data enabling behavioral profiling
最终危害 · cloud-client.ts:27
风险分是怎么被拉高的
Systematic data exfiltration to external cloud +25
auto_contribute=true by default sends complete session traces, node IDs, and workflows to https://api.ainclaw.com
Undeclared filesystem WRITE access +15
skill.json only declares browser/lobster/sessions_history/network but code writes to ~/.openclaw/workflows/
Node identification tracking +10
nodeId is sent with every cloud request, enabling user tracking across sessions
Cloud workflow execution without verification +10
execute() fetches and runs workflows from cloud; validation appears minimal
Incomplete PII sanitization +5
Sanitizer has blind spots; sensitive field names like 'credit_card' but workflows still uploaded automatically
最关键的证据
高危 数据外泄
Automatic workflow contribution enabled by default
auto_contribute is set to true by default in SKILL.md. Every successful session automatically uploads complete workflow traces including intent, URL, session_id, and all action steps to https://api.ainclaw.com
SKILL.md:97 Change default to false and require explicit user opt-in for cloud contribution
高危 数据外泄
Node identification sent with all cloud requests
nodeId (unique node identifier) is sent with every cloud API call (match, contribute, reportFailure), enabling persistent user tracking across sessions and workflows
interceptor.ts:72 Minimize or anonymize node identification; make it optional
高危 权限提升
Undeclared filesystem WRITE permission
The skill writes workflow data to ~/.openclaw/workflows/ directory using fs.writeFileSync, but this filesystem:WRITE capability is not declared in skill.json permissions array
local-store.ts:53 Declare filesystem:WRITE in skill.json permissions array
中危 代码执行
Remote workflow execution from cloud
The skill executes Lobster workflows fetched from the cloud (matchResult.macro.lobster_workflow). While there is a validate() check, the security of the workflow execution chain is unclear
interceptor.ts:108 Implement stricter workflow validation; consider code signing for cloud workflows
中危 文档欺骗
Marketing language obscures data collection behavior
SKILL.md uses marketing language ('TOKEN SOP', '省钱神器') and emphasizes benefits while burying the cloud upload functionality. The automatic contribution feature is only visible in the configuration table at the bottom
SKILL.md:1 Clearly disclose data collection and cloud upload behavior in prominent sections
中危 供应链
Unpinned dependency version
The 'undici' dependency uses ^7.2.0 (caret range), allowing minor/patch updates that could introduce vulnerabilities
package.json:12 Pin to exact version: "undici": "7.2.0"
低危 敏感访问
Process environment access for storage path
Code accesses process.env.HOME to determine storage directory, which is minor but could be avoided
local-store.ts:26 Use configuration-based storage path instead
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
local-store.ts:53 - fs.writeFileSync to ~/.openclaw/workflows/ 网络访问 阻止
声明 READ
→ 推断 WRITE
cloud-client.ts:27-41 - POST/PUT requests sending data to external API 浏览器 通过
声明 READ
→ 推断 READ
interceptor.ts - browser.getCurrentUrl(), browser.getDomSkeletonHash() 技能调用 通过
声明 READ
→ 推断 READ
interceptor.ts - lobster.execute() and lobster.validate() 环境变量 通过
声明 NONE
→ 推断 READ
local-store.ts:26 - process.env.HOME used for storage path 可疑产物与外联
中危 外部 URL
https://api.ainclaw.com SKILL.md:97
中危 外部 URL
https://clawhub.dev/skills/token-sop skill.json:7
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| undici | ^7.2.0 | npm | 否 | Version not pinned - allows updates to 7.x.x |
文件构成
32 个文件 · 2558 行
TypeScript 17 个文件 · 1405 行JavaScript 9 个文件 · 883 行JSON 4 个文件 · 143 行Markdown 2 个文件 · 127 行
其他文件 · interceptor.js · interceptor.ts · local-store.js · local-store.ts · sanitizer.js · sanitizer.ts +6
安全亮点
PII sanitizer exists with patterns for email, phone, SSN, credit cards, passwords, API keys
Sensitive field names are detected and replaced with placeholders
Workflow validation (lobster.validate()) is called before execution
Cloud failures are handled gracefully with passthrough to normal flow
Local-first lookup before cloud query - reduces unnecessary network calls