安全决策报告
x-tweet-fetcher
SKILL.md omits critical shell behavior (subprocess, SSH/SCP, router-agent queue writing) that exists in multiple scripts and could enable arbitrary remote execution through undocumented infrastructure pathways.
最直接的威胁证据
01
SKILL.md describes only HTTP API calls and browser rendering, omitting shell/subprocess/router behaviors 初始入口 · SKILL.md
02
User sets SOGOU_SSH_HOST environment variable to proxy WeChat searches 权限提升 · scripts/sogou_wechat.py
03
Tool writes a dynamically constructed Python script to temp file and SCPs it to the remote host 权限提升 · scripts/sogou_wechat.py
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 3 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 6 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 3 项需要关注的依赖或供应链线索。
攻击链
01
SKILL.md describes only HTTP API calls and browser rendering, omitting shell/subprocess/router behaviors
初始入口 · SKILL.md:1
02
User sets SOGOU_SSH_HOST environment variable to proxy WeChat searches
权限提升 · scripts/sogou_wechat.py:122
03
Tool writes a dynamically constructed Python script to temp file and SCPs it to the remote host
权限提升 · scripts/sogou_wechat.py:163
04
Tool executes the remote script via SSH and retrieves output — arbitrary code execution on remote
权限提升 · scripts/sogou_wechat.py:170
05
Router-agent mode writes curl commands to /root/router-agent/cmd-queue, enabling unmonitored outbound requests via home IP
权限提升 · scripts/fetch_china.py:1308
06
OpenClaw auth-profiles.json read for fallback API key, accessing credential store outside declared capabilities
权限提升 · scripts/x-profile-analyzer.py:62
风险分是怎么被拉高的
Undeclared router-agent file I/O +15
sogou_wechat.py and fetch_china.py write curl commands to /root/router-agent/cmd-queue and read results — not mentioned in SKILL.md
Undeclared SSH/SCP proxy execution +12
sogou_wechat.py SCPs temp scripts to remote hosts and executes via SSH — undocumented in SKILL.md
Subprocess usage not declared in SKILL.md +8
paper_recommend.py and to_obsidian.py invoke fetch_tweet.py via subprocess; SKILL.md only mentions import-based calls
README contains curl|sh pattern +6
README.md line 163 shows 'curl https://nim-lang.org/choosenim/init.sh -sSf | sh' in Nitter build instructions
OpenClaw auth-profiles.json access +3
x-profile-analyzer.py reads ~/.openclaw/agents/main/agent/auth-profiles.json for API keys — legitimate but undeclared
最关键的证据
高危 文档欺骗
Router-agent cmd-queue file I/O undeclared in SKILL.md
scripts/sogou_wechat.py and scripts/fetch_china.py contain an entirely undocumented execution path: writing curl commands to /root/router-agent/cmd-queue and reading results from /root/router-agent/cmd-output. This enables arbitrary network requests routed through a home router, invisible to SKILL.md readers.
scripts/sogou_wechat.py:38 Declare router-agent mode in SKILL.md with clear explanation of when it's used and environment variables required.
高危 文档欺骗
SSH/SCP remote script execution undeclared in SKILL.md
sogou_wechat.py's sogou_wechat_search_via_ssh() writes a Python script to a temp file, SCPs it to a remote host (via SOGOU_SSH_HOST env var), executes it via SSH, and deletes it. This is a full remote execution pathway not mentioned in SKILL.md.
scripts/sogou_wechat.py:166 Declare SSH proxy mode with security note that it requires SOGOU_SSH_HOST env var and user-controlled remote infrastructure.
中危 文档欺骗
Subprocess calls between scripts not declared in SKILL.md
SKILL.md describes fetch_tweet.py as a standalone fetcher and mentions 'from scripts.fetch_tweet import fetch_tweet' as the import path. However, paper_recommend.py and to_obsidian.py invoke it via subprocess.run(['python3', 'fetch_tweet.py', ...]), which is undocumented and could be replaced with direct import.
scripts/paper_recommend.py:199 Use direct Python imports instead of subprocess, or document the subprocess design pattern.
中危 供应链
README.md contains curl|sh remote script execution
README.md line 163 documents 'curl https://nim-lang.org/choosenim/init.sh -sSf | sh' as part of Nitter build instructions. While this is in documentation, it sets a precedent that the skill infrastructure may execute arbitrary shell commands from URLs. The same pattern could be used with malicious URLs.
README.md:163 Remove curl|sh examples from README. If Nitter setup is needed, provide manual step-by-step instructions or direct download links.
低危 敏感访问
OpenClaw auth-profiles.json access not declared in SKILL.md
x-profile-analyzer.py reads API keys from ~/.openclaw/agents/main/agent/auth-profiles.json as a fallback authentication method. While this is a legitimate design pattern (reading skill ecosystem credentials), it is not declared in SKILL.md.
scripts/x-profile-analyzer.py:62 Document that the tool may read OpenClaw auth profiles as a credential fallback mechanism.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 READ+WRITE
scripts/sogou_wechat.py:60-73 writes to router cmd-queue file; scripts/fetch_china.py:1306-1321 writes to /root/router-agent/cmd-queue 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/sogou_wechat.py:166-171 scp + ssh remote execution; scripts/paper_recommend.py:199-201 subprocess call; scripts/to_obsidian.py:837 subprocess call 网络访问 通过
声明 READ
→ 推断 READ
Network requests all declared: FxTwitter, Nitter, Camofox REST API, ArXiv, OpenAlex 可疑产物与外联
严重 危险命令
curl https://nim-lang.org/choosenim/init.sh -sSf | sh README.md:163
高危 IP 地址
120.0.0.0 scripts/fetch_china.py:903
高危 IP 地址
124.0.0.0 scripts/playwright_client.py:79
中危 外部 URL
https://img.shields.io/badge/License-MIT-yellow.svg README.md:7
中危 外部 URL
https://img.shields.io/badge/OpenClaw-Skill-blue.svg README.md:8
中危 外部 URL
https://img.shields.io/badge/Python-3.7+-green.svg README.md:9
中危 外部 URL
https://www.python.org README.md:9
中危 外部 URL
https://img.shields.io/github/stars/ythx-101/x-tweet-fetcher?style=social README.md:10
中危 外部 URL
https://x.com/elonmusk/status/123456789 README.md:78
中危 外部 URL
http://127.0.0.1:8788 README.md:85
中危 外部 URL
https://x.com/user/article/123 README.md:110
中危 外部 URL
https://mp.weixin.qq.com/s/... README.md:113
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| requests | * | pip | 否 | Not pinned, used in sogou_wechat.py and fetch_china.py |
| duckduckgo_search | * | pip | 否 | Optional, used as fallback search engine |
| playwright | * | pip | 否 | Optional, used in playwright_client.py for platform scraping |
文件构成
25 个文件 · 11718 行
Python 20 个文件 · 11009 行Markdown 3 个文件 · 705 行Ignore 1 个文件 · 3 行Other 1 个文件 · 1 行
需关注文件 · 12
scripts/fetch_tweet.py https://api.fxtwitter.com/ · https://pbs.twimg.com/media/ · https://x.com/i/lists/123456789 · https://twitter.com/i/lists/123456789 · https://x.com/i/article/2011779830157557760 · https://x.com/i/article/ · https://x.com/i/article/ID
scripts/fetch_china.py 120.0.0.0 · https://weibo.com/UID/PostID · https://edith.xiaohongshu.com/api/sns/web/v1/feed · https://edith.xiaohongshu.com/api/sns/web/v1/search/notes · https://www.xiaohongshu.com/explore/67b8e3f5000000000b00d8e2 · https://www.xiaohongshu.com/discovery/item/67b8e3f5000000000b00d8e2 · https://www.xiaohongshu.com/explore/
scripts/to_obsidian.py https://x.com/yanhua1010/status/xxx · https://pbs\.twimg\.com/media/[^ · https://pbs\.twimg\.com/media/([A-Za-z0-9_\-
scripts/paper_recommend.py Subprocess calls between scripts not declared in SKILL.md · https://doi.org/10.48550/arXiv. · https://openalex.org/ · https://doi.org/
scripts/nitter_client.py https://pbs.twimg.com/
scripts/playwright_client.py 124.0.0.0
scripts/paper_to_obsidian.py https://ar5iv.labs.arxiv.org/html/2401.02385 · https://ar5iv.labs.arxiv.org · http://export.arxiv.org/api/query?id_list=
scripts/tweet_growth.py https://api.fxtwitter.com/i/status/
scripts/arxiv_author_finder.py https://arxiv.org/abs/2603.10165 · https://arxiv.org/abs/ · https://arxiv.org/abs/1706.03762
scripts/x-profile-analyzer.py OpenClaw auth-profiles.json access not declared in SKILL.md · https://api.minimax.io/anthropic/v1/messages · https://www.minimaxi.com
scripts/common.py http://www.w3.org/2005/Atom · http://arxiv.org/schemas/atom · https://(?:twitter\.com|x\.com · http://schema.org/Organization · https://search.brave.com/search?q=
scripts/sogou_wechat.py Router-agent cmd-queue file I/O undeclared in SKILL.md · SSH/SCP remote script execution undeclared in SKILL.md · https://weixin.sogou.com/weixin?type=2&query= · https://weixin.sogou.com
安全亮点
No credential harvesting or exfiltration — all API key reads are for legitimate service calls (MiniMax, OpenAI, GitHub)
No base64-encoded execution, no eval/atob patterns, no obfuscation detected
No supply chain attacks — all dependencies are well-known packages (requests, duckduckgo_search, playwright)
No persistence mechanisms (no cron hooks, no startup scripts installed)
No data theft or C2 communication — all network calls are to documented, legitimate APIs
Router cmd-queue path validation includes anti-traversal checks (os.path.isabs, '..' check)
SSH host validation prevents command injection via regex validation of user@host format
Hardcoded IP addresses (120.0.0.0, 124.0.0.0) are actually browser version numbers in User-Agent strings, not data exfiltration targets