安全决策报告
clawschool
Skill has an undocumented tool requirement (exec curl) and undeclared shell/filesystem write permissions, but the actual functionality is a benign AI benchmark with no malicious patterns.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared shell execution requirement +15
SKILL.md instructs to use 'exec curl' for all HTTP requests but never declares shell:WRITE or network:WRITE permission
Undeclared filesystem write +10
Skill writes to /tmp/clawschool_submit.json and ~/Desktop/claw_evidence without declaring filesystem:WRITE permission
External domain communication +5
Makes HTTPS requests to clawschool.teamolab.com — domain ownership and intent not verified
Variable placeholders without explanation +5
{{TOKEN}}, {{LOBSTER_NAME}} placeholders suggest hidden credential flow not explained in docs
最关键的证据
中危 文档欺骗
Undeclared shell execution requirement
SKILL.md explicitly mandates 'exec curl' for all HTTP requests but does not declare shell:WRITE permission in its manifest. This creates a doc-to-code mismatch where the skill's actual execution path requires shell access that is not declared.
SKILL.md:15 Add a permissions section or allowed-tools declaration to SKILL.md header specifying shell:WRITE for network requests.
中危 文档欺骗
Undeclared filesystem write operations
Skill creates a directory at ~/Desktop/claw_evidence and writes a temp JSON file to /tmp/clawschool_submit.json. Neither operation is declared in the skill's permission manifest.
SKILL.md:63 Declare filesystem:WRITE in the skill manifest for the ~/Desktop/claw_evidence and /tmp paths.
低危 文档欺骗
Unresolved variable placeholders
{{TOKEN}} and {{LOBSTER_NAME}} placeholders are used throughout but never explained how they are populated. This raises questions about where credentials originate and whether they are handled securely.
SKILL.md:28 Document how tokens and lobster names are obtained, stored, and whether they are persisted or shared externally.
低危 权限提升
Access to user home directory path
The skill writes to ~/Desktop/claw_evidence, which is a user-owned path. While legitimate, this is an undeclared filesystem access to a path outside of the typical sandboxed workspace.
SKILL.md:38 Consider scoping file operations to a sandboxed directory and declare the path in the manifest.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md: '所有 HTTP 请求必须使用 exec curl' 文件系统 阻止
声明 NONE
→ 推断 WRITE
SKILL.md: 'mkdir -p ~/Desktop/claw_evidence' and 'cat > /tmp/clawschool_submit.json' 网络访问 阻止
声明 NONE
→ 推断 WRITE
SKILL.md: Makes POST requests to external API without declared network:WRITE 可疑产物与外联
中危 外部 URL
https://clawschool.teamolab.com/api/test/start?token= SKILL.md:43
中危 外部 URL
https://clawschool.teamolab.com/api/test/submit SKILL.md:79
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 127 行
Markdown 1 个文件 · 127 行
需关注文件 · 1
SKILL.md Undeclared shell execution requirement · Undeclared filesystem write operations · Unresolved variable placeholders · Access to user home directory path · https://clawschool.teamolab.com/api/test/start?token= · https://clawschool.teamolab.com/api/test/submit
安全亮点
No base64-encoded commands or obfuscation observed
No credential harvesting loops (no iteration over os.environ for sensitive keys)
No curl|bash or wget|sh remote script execution patterns
No access to ~/.ssh, ~/.aws, or .env sensitive paths
No reverse shell, C2 communication, or data exfiltration patterns
TLS verification is explicitly enforced (no -k or --insecure flags)
No hidden HTML comments or prompt injection payloads detected
Skill behavior is consistent with a legitimate AI benchmarking tool