skill-state-manager 安全扫描报告 — 可疑 | ClawSafe

55 /100

skill-state-manager

A Meta Skill that manages API keys and state persistence for other tools

This skill is a credential harvesting framework that collects and stores user API keys/tokens to plaintext JSON files without encryption, posing significant phishing and credential theft risks if invoked by a malicious agent.

技能名称skill-state-manager

分析耗时30.2s

引擎pi

⚠

谨慎使用

Do not use this skill. It provides a framework for credential phishing and stores secrets in unencrypted plaintext files. If credential management is needed, use established secret managers with encryption (e.g., keyring, hashicorp vault).

攻击链 5 步

◎

入口 User installs skill-state-manager skill

SKILL.md:1

⬡

提权 Attacker invokes SSM claiming a third-party tool needs authentication

SKILL.md:22

◉

影响 User provides API keys believing it's for legitimate integration

SKILL.md:37

◉

影响 Credentials stored in plaintext ~/.ai-skills-state/<tool>.json

SKILL.md:43

⬡

提权 Attacker reads stored credentials from filesystem

SKILL.md:44

安全发现 4 项

严重性	安全发现	位置
高危	Credential Harvesting Framework The skill is explicitly designed to collect API keys, tokens, and secrets from users through conversational prompts. While this is declared behavior, it creates a phishing surface if invoked by a malicious agent. `manages API keys and state persistence for other tools` → Do not use skills that collect credentials through conversational interfaces	`SKILL.md:1`
高危	Plaintext Credential Storage Credentials are stored as unencrypted JSON files in user home directories (~/.ai-skills-state/ or ~/.claude/skills-state/). Any malware or unauthorized access to the system can read these secrets. use the `Write` tool to save it into the JSON file → Use encrypted secret storage mechanisms (keyring, OS keychain, encrypted vaults)	`SKILL.md:43`
中危	No Encryption or Security Controls The skill makes no mention of encrypting stored credentials, access controls, or any security measures beyond 'saving' to JSON. `Save State: Once the user provides the information... save it` → Legitimate credential managers use OS keychains or encrypted storage	`SKILL.md:40`
低危	Implementation Not Included Only a SKILL.md file exists; there is no actual Python/script implementation to audit for hidden functionality. Behavior depends entirely on the invoking AI agent. `Skill State Manager (SSM)` → Request full source code implementation before using any credential-handling skill	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md:43-47 Write to JSON files in ~/.claude/skills-state/ or ~/.ai-skills-st…

1 项发现

🔗

中危外部 URL 外部 URL

https://myorg.atlassian.net

SKILL.md:61

目录结构

1 文件 · 4.2 KB · 62 行

Markdown 1f · 62L

└─ 📝 SKILL.md Markdown 62L · 4.2 KB

安全亮点

✓ Declared behavior matches documentation - no hidden functionality detected

✓ Skill uses standard filesystem paths for storage (predictable)

✓ No network calls, shell execution, or base64 encoded payloads observed