koan-protocol 安全扫描报告 — 低风险 | ClawSafe

20 /100

koan-protocol

Open identity and encrypted communication protocol for AI agents. Register on the Koan mesh, get a cryptographic identity, and exchange E2E-encrypted messages.

A legitimate cryptographic identity and messaging protocol SDK. All pre-scan base64 IOCs are false positives (standard crypto key decoding). The only real concern is unencrypted private key storage on non-Windows/non-macOS systems, which is clearly documented with warnings.

技能名称koan-protocol

分析耗时70.9s

引擎pi

✓

可以安装

Safe to use with caution. On Linux, private keys are stored as base64 plaintext in ~/.koan/identity.json — use only for non-production/development agents. Consider migrating keys to a keychain or encrypted vault per SKILL.md recommendations.

安全发现 3 项

严重性	安全发现	位置
中危	Shell execution undeclared in SKILL.md 文档欺骗 SKILL.md does not mention that the SDK uses subprocess.run (Python) and spawnSync (Node.js) to execute shell commands for keychain integration (PowerShell DPAPI on Windows, security CLI on macOS). While the shell usage is legitimate for keychain ops, it represents an undeclared shell:WRITE capability. `proc = subprocess.run(command, capture_output=True, text=True, env=env)` → Add a 'Shell access' section to SKILL.md declaring subprocess usage for keychain integration on Windows/macOS.	`python/koan_sdk.py:47`
中危	Private keys stored as plaintext on Linux 敏感访问 On non-Windows/non-macOS systems, private keys are written to ~/.koan/identity.json in base64-encoded plaintext (no encryption). SKILL.md warns about this ('Treat this as local plaintext key material'), but the default behavior stores unencrypted private key material on disk. `data['signingPrivateKey'] = signing_private_key data['encryptionPrivateKey'] = encryption_private_key` → SKILL.md already recommends OS keychain or encrypted vault. Consider adding a prominent warning or auto-detecting Linux keyring backends (e.g., secret-service/libsecret).	`python/koan_sdk.py:173`
低危	cryptography dependency not strictly pinned 供应链 python/requirements.txt specifies cryptography>=42.0.0 with no upper bound. This allows installing future incompatible or compromised versions. `cryptography>=42.0.0` → Pin to a specific version range (e.g., cryptography>=42.0.0,<43.1.0) or use a lockfile.	`python/requirements.txt:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	~/.koan/identity.json, ~/.koan/config.json, ~/.koan/chats/*.jsonl
网络访问	`READ`	`WRITE`	✓ 一致	POST /relay/intent, POST /queue/{koanId}/deliver; all declared in SKILL.md
命令执行	`NONE`	`WRITE`	✓ 一致	python/koan_sdk.py:subprocess.run for keychain; node/koan-sdk.mjs:spawnSync for …
环境变量	`NONE`	`NONE`	—	Uses os.environ.copy() only for subprocess env isolation, no env var harvesting
技能调用	`NONE`	`NONE`	—	No skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

10 严重 23 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(privateKeyBase64, 'base64'

SKILL.md:117

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(recipientPubBase64, 'base64'

SKILL.md:252

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(recipientPubKeyB64, 'base64'

node/koan-sdk.mjs:107

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(ephemeralPubB64, 'base64'

node/koan-sdk.mjs:132

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(nonceB64, 'base64'

node/koan-sdk.mjs:140

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(ciphertextB64, 'base64'

node/koan-sdk.mjs:141

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(signingPrivateKeyB64, 'base64'

node/koan-sdk.mjs:202

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(data.signingPublicKey, 'base64'

node/koan-sdk.mjs:203

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(encryptionPrivateKeyB64, 'base64'

node/koan-sdk.mjs:204

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(data.encryptionPublicKey, 'base64'

node/koan-sdk.mjs:205

🔗

中危外部 URL 外部 URL

https://koanmesh.com/skill.json

README.md:94

🔗

中危外部 URL 外部 URL

https://koanmesh.com/team

README.md:95

🔗

中危外部 URL 外部 URL

https://koanmesh.com/team-skill.json

README.md:96

🔗

中危外部 URL 外部 URL

https://koanmesh.com/api-reference

README.md:97

🔗

中危外部 URL 外部 URL

https://koanmesh.com

SKILL.md:4

🔗

中危外部 URL 外部 URL

https://koanmesh.com/safety

SKILL.md:24

🔗

中危外部 URL 外部 URL

https://koanmesh.com/reports

SKILL.md:26

🔗

中危外部 URL 外部 URL

https://clawhub.ai/spclaudehome/skill-vetter

SKILL.md:27

🔗

中危外部 URL 外部 URL

https://koanmesh.com/agents/check-key?signingPublicKey=

SKILL.md:66

🔗

中危外部 URL 外部 URL

https://koanmesh.com/agents/register

SKILL.md:138

🔗

中危外部 URL 外部 URL

https://koanmesh.com/relay/intent

SKILL.md:161

🔗

中危外部 URL 外部 URL

https://koanmesh.com/queue/

SKILL.md:201

🔗

中危外部 URL 外部 URL

https://koanmesh.com/agents/

SKILL.md:241

目录结构

5 文件 · 56.8 KB · 1465 行

Python 1f · 530L JavaScript 1f · 487L Markdown 2f · 447L Text 1f · 1L

├─ ▾ 📁 node

│ └─ 📜 koan-sdk.mjs JavaScript 487L · 18.5 KB

├─ ▾ 📁 python

│ ├─ 🐍 koan_sdk.py Python 530L · 21.6 KB

│ └─ 📄 requirements.txt Text 1L · 21 B

├─ 📝 README.md Markdown 115L · 3.7 KB

└─ 📝 SKILL.md Markdown 332L · 12.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`cryptography`	`>=42.0.0`	pip	否	Lower bound only, no upper bound — supply chain risk

安全亮点

✓ SKILL.md is thorough and transparent about the protocol's behavior, storage paths, and security properties

✓ SKILL.md explicitly warns that private keys are stored as unencrypted plaintext on Linux

✓ Node.js SDK has zero external dependencies — only built-in modules used

✓ No credential harvesting or environment variable enumeration observed

✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed

✓ No obfuscation, encoded payloads, or anti-analysis techniques present

✓ No curl|bash, wget|sh, or eval-based remote execution

✓ No hidden functionality — code does exactly what documentation describes

✓ E2E encryption (X25519 ECDH + AES-256-GCM) is correctly implemented

✓ All external network calls are declared and expected for the protocol's directory/relay purpose

✓ Keychain integration (DPAPI/keychain) uses OS-native encryption on Windows and macOS