安全决策报告
self-evolution-engine
Skill contains a hardcoded API key for billing integration that is not properly declared in documentation, representing undeclared credential handling with potential for unauthorized charges.
最直接的威胁证据
01
Attacker examines skill and extracts hardcoded API key from payment.py reconnaissance · payment.py
02
Attacker uses extracted API key to make unauthorized charges to skillpay.me billing API 最终危害 · payment.py
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 2 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
Attacker examines skill and extracts hardcoded API key from payment.py
reconnaissance · payment.py:12
02
Attacker uses extracted API key to make unauthorized charges to skillpay.me billing API
最终危害 · payment.py:44
风险分是怎么被拉高的
Hardcoded API key in source code +25
BILLING_API_KEY hardcoded as 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' at payment.py:12
Undeclared billing integration +15
SKILL.md mentions SkillPay but does not clearly declare the network API calls or that payment.py contains billing logic with credentials
Network requests to external API +10
Makes HTTPS requests to skillpay.me API with authentication credentials not documented in capabilities
No malicious exfiltration chain +-5
Skill does not appear to steal or exfiltrate user credentials; primary risk is unauthorized API usage
最关键的证据
高危
Hardcoded API Key
A production API key for skillpay.me billing service is hardcoded in payment.py source file. This key could be extracted and used for unauthorized billing charges.
payment.py:12 Replace with environment variable: BILLING_API_KEY = os.environ.get('SKILLPAY_API_KEY', '')
中危
Undeclared Network Communication
SKILL.md does not mention that the skill makes network requests to an external billing API (skillpay.me). This constitutes hidden functionality.
SKILL.md:1 Add a 'Network Usage' section documenting external API calls for billing
低危
Credential Stored in Version Control
If this repository is committed to version control, the hardcoded API key could be exposed in history.
payment.py:12 Use environment variables and add payment.py to .gitignore or remove before committing
提示
Billing Logic Auto-execution
The payment verification (require_payment()) could automatically charge users on every skill invocation if imported and called.
payment.py:67 Ensure billing is only triggered when explicitly requested by user
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 WRITE
Used for logs, backups, snapshots, evolution patches - declared in feature set 网络访问 阻止
声明 NONE
→ 推断 READ
payment.py:25-67 makes requests to skillpay.me API with API key - not declared in SKILL.md 命令执行 通过
声明 NONE
→ 推断 NONE
No subprocess or shell execution detected 环境变量 通过
声明 NONE
→ 推断 READ
Reads SKILLPAY_USER_ID from environment for billing - legitimate use case 可疑产物与外联
高危 API 密钥
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" payment.py:12
中危 外部 URL
https://skillpay.me payment.py:11
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| requests | * | pip | 否 | Standard HTTP library, no specific vulnerabilities |
| python-dateutil | >=2.8.0 | pip | 否 | Version pinned |
| pandas | >=2.0.0 | pip | 否 | Optional dependency for advanced analysis |
| psutil | >=5.9.0 | pip | 否 | Optional dependency for monitoring |
| matplotlib | >=3.7.0 | pip | 否 | Optional dependency for reporting |
文件构成
9 个文件 · 1662 行
Python 5 个文件 · 1300 行Markdown 2 个文件 · 329 行JSON 1 个文件 · 19 行Text 1 个文件 · 14 行
需关注文件 · 2
payment.py Hardcoded API Key · Credential Stored in Version Control · Billing Logic Auto-execution · API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" · https://skillpay.me
SKILL.md Undeclared Network Communication
其他文件 · evolution_generator.py · version_manager.py · error_analyzer.py · performance_monitor.py · architecture.md · _meta.json +1
安全亮点
No shell/subprocess execution detected - legitimate Python-only implementation
No sensitive path access (no ~/.ssh, ~/.aws, .env file reading for theft)
No base64 encoded commands or obfuscated payloads
No data exfiltration mechanisms detected
Version management includes backup/restore with human approval for changes
Evolution system requires --confirm flag for applying patches
No eval() or dangerous code execution patterns