安全决策报告
skill-state-manager
This skill is a credential harvesting framework that collects and stores user API keys/tokens to plaintext JSON files without encryption, posing significant phishing and credential theft risks if invoked by a malicious agent.
最直接的威胁证据
01
User installs skill-state-manager skill 初始入口 · SKILL.md
02
Attacker invokes SSM claiming a third-party tool needs authentication reconnaissance · SKILL.md
03
User provides API keys believing it's for legitimate integration 最终危害 · SKILL.md
为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
User installs skill-state-manager skill
初始入口 · SKILL.md:1
02
Attacker invokes SSM claiming a third-party tool needs authentication
reconnaissance · SKILL.md:22
03
User provides API keys believing it's for legitimate integration
最终危害 · SKILL.md:37
04
Credentials stored in plaintext ~/.ai-skills-state/<tool>.json
最终危害 · SKILL.md:43
05
Attacker reads stored credentials from filesystem
数据外泄 · SKILL.md:44
风险分是怎么被拉高的
Credential harvesting framework +25
Skill explicitly collects API keys/tokens through conversational UI
Unencrypted plaintext storage +20
Credentials stored in ~/.ai-skills-state/*.json without encryption
No code implementation to audit +10
Only SKILL.md exists; actual behavior depends on invoking agent
最关键的证据
高危
Credential Harvesting Framework
The skill is explicitly designed to collect API keys, tokens, and secrets from users through conversational prompts. While this is declared behavior, it creates a phishing surface if invoked by a malicious agent.
SKILL.md:1 Do not use skills that collect credentials through conversational interfaces
高危
Plaintext Credential Storage
Credentials are stored as unencrypted JSON files in user home directories (~/.ai-skills-state/ or ~/.claude/skills-state/). Any malware or unauthorized access to the system can read these secrets.
SKILL.md:43 Use encrypted secret storage mechanisms (keyring, OS keychain, encrypted vaults)
中危
No Encryption or Security Controls
The skill makes no mention of encrypting stored credentials, access controls, or any security measures beyond 'saving' to JSON.
SKILL.md:40 Legitimate credential managers use OS keychains or encrypted storage
低危
Implementation Not Included
Only a SKILL.md file exists; there is no actual Python/script implementation to audit for hidden functionality. Behavior depends entirely on the invoking AI agent.
SKILL.md:1 Request full source code implementation before using any credential-handling skill
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
SKILL.md:43-47 Write to JSON files in ~/.claude/skills-state/ or ~/.ai-skills-state/ 可疑产物与外联
中危 外部 URL
https://myorg.atlassian.net SKILL.md:61
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 62 行
Markdown 1 个文件 · 62 行
需关注文件 · 1
SKILL.md Credential Harvesting Framework · Plaintext Credential Storage · No Encryption or Security Controls · Implementation Not Included · https://myorg.atlassian.net
安全亮点
Declared behavior matches documentation - no hidden functionality detected
Skill uses standard filesystem paths for storage (predictable)
No network calls, shell execution, or base64 encoded payloads observed