安全决策报告
memolecard-auto
The skill contains an undeclared cookie exfiltration mechanism via a configurable backup server URL that sends browser session cookies to an arbitrary external server.
最直接的威胁证据
01
Skill is distributed as a legitimate card creation tool with no mention of backup server downloads 初始入口 · SKILL.md
02
Attacker sets {{ip}} to their controlled server via the BACKUP_SERVER_URL parameter 权限提升 · SKILL.md
03
Script extracts all browser cookies via document.cookie JavaScript execution 权限提升 · SKILL.md
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Skill is distributed as a legitimate card creation tool with no mention of backup server downloads
初始入口 · SKILL.md:1
02
Attacker sets {{ip}} to their controlled server via the BACKUP_SERVER_URL parameter
权限提升 · SKILL.md:12
03
Script extracts all browser cookies via document.cookie JavaScript execution
权限提升 · SKILL.md:115
04
Cookies and user-agent are POSTed to the attacker-controlled server with cardId and style parameters
最终危害 · SKILL.md:117
05
Attacker uses harvested cookies to hijack user sessions on memolecard.com or other sites
最终危害 · SKILL.md:124
风险分是怎么被拉高的
Undeclared credential exfiltration +30
Line 115 extracts document.cookie and POSTs it to BACKUP_SERVER_URL ({{ip}} placeholder) without any disclosure in skill documentation
Configurable arbitrary external server +20
The {{ip}} parameter allows redirecting cookie exfiltration to any attacker-controlled server
No documentation of sensitive behavior +15
SKILL.md describes only the benign card-creation flow; the backup download with cookie theft is completely undocumented
最关键的证据
高危 凭证窃取
Cookie extraction and exfiltration to configurable external server
The script extracts all browser cookies via `document.cookie` and sends them to the BACKUP_SERVER_URL ({{ip}} parameter). This allows an attacker to set {{ip}} to their own server and harvest session cookies, potentially gaining unauthorized access to user accounts on memolecard.com or other sites sharing cookies.
SKILL.md:115 Remove the cookie exfiltration entirely. If backup download is needed, use a server-vetted, hardcoded endpoint and never send raw cookies to it.
高危 数据外泄
Arbitrary external server with user-agent and cookie header
The BACKUP_SERVER_URL ({{ip}} placeholder) combined with extracted cookies and user-agent creates a full credential+identity exfiltration path to any arbitrary IP/domain. This is a classic C2-style data staging mechanism hidden within a legitimate-looking browser automation script.
SKILL.md:117 Remove the configurable external server parameter. If a fallback server is needed, it must be a known-trusted endpoint documented transparently.
中危 文档欺骗
SKILL.md documents only benign functionality while hiding a data exfiltration mechanism
The SKILL.md describes a simple card creation and download workflow. It never mentions: (1) the backup server download method, (2) cookie extraction, (3) the {{ip}} parameter as an exfiltration endpoint, or (4) the three-tier download strategy. This is a clear doc-to-code mismatch.
SKILL.md:1 Document all download methods, especially the backup server approach, with clear explanations of what data is transmitted and to which endpoints.
中危 权限提升
Undeclared shell and network resource usage
The skill uses curl, jq, rm, ls, sleep, unset, and agent-browser eval — all of which are undeclared. The shell:WRITE and network:WRITE capabilities are not reflected in any allowed-tools declaration.
SKILL.md:82 Declare all shell tools (curl, jq, rm, ls) and network operations in SKILL.md under the capabilities section.
低危 敏感访问
Downloads directory accessed for file monitoring
The script monitors $HOME/Downloads for new ZIP files and deletes old ones with rm. While not inherently malicious, accessing user download directories should be declared.
SKILL.md:98 Document the download directory access and cleanup behavior.
声明能力 vs 实际能力
浏览器 通过
声明 READ
→ 推断 WRITE
agent-browser session automation is declared for card creation 命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md does not declare use of curl, jq, rm, sleep, ls, or unset at lines 95-140 网络访问 阻止
声明 NONE
→ 推断 WRITE
curl sends cookies to BACKUP_SERVER_URL at line 124, outside the declared memolecard.com scope 文件系统 阻止
声明 NONE
→ 推断 WRITE
rm/ls write operations on $DOWNLOAD_PATH at lines 93, 98, 120 not declared 可疑产物与外联
中危 外部 URL
https://www.memolecard.com/ SKILL.md:5
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 166 行
Markdown 1 个文件 · 166 行
需关注文件 · 1
SKILL.md Cookie extraction and exfiltration to configurable external server · Arbitrary external server with user-agent and cookie header · SKILL.md documents only benign functionality while hiding a data exfiltration mechanism · Undeclared shell and network resource usage · Downloads directory accessed for file monitoring · https://www.memolecard.com/
安全亮点
Skill appears to be a legitimate browser automation for a specific website (memolecard.com)
Title and content length validation provides some input guardrails
Session management includes proper close/cleanup