中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 68/100
Last scan:2 days ago Rescan
68 /100
agent-p2p
Agent P2P communication skill - enables AI agents to communicate in real-time through a Portal with other agents
Agent P2P skill contains hardcoded credentials, insecure remote deployment patterns, and supply chain vulnerabilities through unpinned dependencies and external GitHub code retrieval.
Skill Nameagent-p2p
Duration90.5s
Enginepi
Do not install this skill
Do not deploy to production without: (1) removing hardcoded default password in deploy_portal.py, (2) pinning all dependency versions, (3) auditing the external GitHub repository, and (4) replacing subprocess shell=True with explicit argument lists.

Attack Chain 5 steps

Escalation User installs skill and provides SSH credentials for VPS deployment
install.py:105
Escalation Skill clones code from external GitHub without integrity verification
scripts/deploy_portal.py:184
Escalation Unpinned dependencies allow supply chain injection via version upgrade
requirements.txt:1
Escalation SSH executes arbitrary shell scripts on remote VPS with root privileges
auto_install.py:82
Impact Hardcoded admin password 'AgentP2P2024' creates backdoor if not changed
scripts/deploy_portal.py:262

Findings 10 items

Severity Finding Location
High
Hardcoded default password for admin backend
The deploy_portal.py script creates an Nginx htpasswd file with hardcoded credentials: username 'admin', password 'AgentP2P2024'. While this is for the admin backend on a self-hosted VPS, it creates a backdoor if the user doesn't change the password.
self.run_command("htpasswd -cb /etc/nginx/.htpasswd admin AgentP2P2024", sudo=True)
→ Generate a random password or require user input for the admin password. Never hardcode credentials.
 scripts/deploy_portal.py:262
High
Remote code execution through SSH deployment
auto_install.py and deploy_portal.py use paramiko to SSH into user-provided VPS and execute arbitrary shell scripts. The scripts clone code from an external GitHub repository. This creates significant risk if the VPS credentials or the GitHub repo are compromised.
subprocess.run(f"ssh -i {ssh_key} ubuntu@{vps_ip} '{script}'", shell=True, capture_output=True, text=True)
→ Use pre-built images or verified deployment packages instead of executing arbitrary shell scripts via SSH. Implement code signing for the external repository.
 auto_install.py:82
High
Unpinned dependencies enable supply chain attacks
requirements.txt specifies dependencies without version pins (fastapi>=0.100.0, paramiko>=3.3.0, websocket-client>=1.6.0, etc.). This allows attackers to inject malicious code through version upgrades.
fastapi>=0.100.0
→ Pin all dependencies to specific versions. Use a lock file (poetry.lock, Pipfile.lock) or specify exact versions.
 requirements.txt:1
High
External GitHub code pull without integrity verification
deploy_portal.py line 184 clones from 'https://github.com/yananli199307-dev/AgentPortal-p2p-skill.git' with no hash verification, no signed commits check, and no pinned commit/tag.
github_url = "https://github.com/yananli199307-dev/AgentPortal-p2p-skill.git"
→ Pin to a specific tag/commit hash. Implement GPG verification for git tags.
 scripts/deploy_portal.py:184
Medium
Undeclared subprocess shell execution
install.py and auto_install.py use subprocess.run with shell=True and shell=True string commands. SKILL.md does not explicitly declare the use of subprocess for VPS management.
subprocess.run(f"ssh -i {ssh_key} ubuntu@{vps_ip} '{script}'", shell=True, ...)
→ Use explicit argument lists (shell=False) instead of shell=True. Declare subprocess usage explicitly in SKILL.md capabilities section.
 auto_install.py:82
Medium
Database access not declared in SKILL.md
The skill creates and manages a SQLite database at /opt/agent-p2p/data/portal.db on the VPS, and manages local state files. This is not declared in the SKILL.md capability declaration.
db_path = "{self.remote_path}/data/portal.db"
→ Declare database:WRITE in the skill capabilities metadata.
 scripts/deploy_portal.py:340
Medium
SSH key access to ~/.ssh directory not explicitly declared
The skill accesses SSH private keys from ~/.ssh/ for VPS deployment. While SSH is declared, the specific path ~/.ssh/id_rsa (default) is not mentioned.
ssh_key_path = os.path.expanduser(ssh_key_path or "~/.ssh/id_rsa")
→ Explicitly document ~/.ssh key access in SKILL.md security notes.
 install.py:105
Low
Silent dependency installation without user consent
SKILL.md metadata claims 'auto: true' for installation, meaning the skill auto-installs dependencies. While the openclaw metadata warns about this, the user is not prompted per-action as claimed.
"auto": true
→ Ensure each installation action is confirmed by the user as stated in the metadata.
 SKILL.md:10
Low
Requests library with verify=False (SSL bypass)
skill/client.py and client/client.py use requests.get/post with verify=False, disabling SSL certificate verification.
resp = requests.get(url, headers=headers, verify=False)
→ Use proper SSL verification in production. verify=False should only be for debugging with explicit user consent.
 skill/client.py:36
Info
No _meta.json found
No _meta.json file found in the root directory. Standard skill metadata may be missing.
N/A
→ Add a _meta.json file with standard skill metadata for the platform.
 .
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md metadata declares bins: [ssh]; deploy_portal.py uses paramiko SSH
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares file writes to ~/.openclaw/gateway.env; confirmed in install.p…
Network READ WRITE ✓ Aligned bridge.py POSTs to external URL; deploy_portal.py clones from external GitHub
Environment READ WRITE ✓ Aligned skill/bridge.py reads env vars; install.py writes to gateway.env
Skill Invoke NONE NONE No skill invocation found
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser access found
Database NONE WRITE ✗ Violation src/main.py and deploy_portal.py create/modify SQLite DB at /opt/agent-p2p/data/…
18 findings
🔗
Medium External URL 外部 URL
https://agent.example.com
CONFIG.md:73
🔗
Medium External URL 外部 URL
https://your-domain.com
CONFIG.md:87
🔗
Medium External URL 外部 URL
http://127.0.0.1:18789
CONFIG.md:88
🔗
Medium External URL 外部 URL
http://127.0.0.1:18789/hooks/wake
CONFIG.md:146
🔗
Medium External URL 外部 URL
https://your-domain.com/api/portal/info
DEPLOY.md:277
🔗
Medium External URL 外部 URL
https://your-domain.com/api/contacts
README.md:98
🔗
Medium External URL 外部 URL
https://friend-domain.com
SKILL.md:100
🔗
Medium External URL 外部 URL
https://your-domain.com/static/admin.html
SKILL.md:143
🔗
Medium External URL 外部 URL
https://your-portal.com
client/configure.py:29
🔗
Medium External URL 外部 URL
https://your-domain.com)
client.py:12
🔗
Medium External URL 外部 URL
http://127.0.0.1:18789\n
install.py:405
🔗
Medium External URL 外部 URL
http://127.0.0.1:8081
notify_server.py:77
🔗
Medium External URL 外部 URL
https://mirrors.aliyun.com/pypi/simple/
setup.sh:86
🔗
Medium External URL 外部 URL
http://127.0.0.1:18789/health
setup.sh:161
🔗
Medium External URL 外部 URL
https://myagentp2p.com
skill/client.py:40
🔗
Medium External URL 外部 URL
https://agentportalp2p.com
skill_status.json:1
🔗
Medium External URL 外部 URL
http://127.0.0.1:8082/webhook
webhook_server.py:57
📧
Info Email 邮箱地址
[email protected]
CONFIG.md:122

File Tree

35 files · 228.6 KB · 7039 lines
Python 17f · 4434L Markdown 7f · 1225L HTML 2f · 1062L Shell 3f · 277L JSON 4f · 25L Text 2f · 16L
├─ 📁 client
│ ├─ 🐍 cli.py Python 85L · 2.2 KB
│ ├─ 🐍 client.py Python 314L · 11.2 KB
│ ├─ 🐍 config.py Python 52L · 1.2 KB
│ ├─ 🐍 configure.py Python 49L · 1.2 KB
│ ├─ 📝 README.md Markdown 44L · 620 B
│ ├─ 📄 requirements.txt Text 3L · 54 B
│ └─ 🐍 start.py Python 33L · 787 B
├─ 📁 config
│ └─ 📋 portals.example.json JSON 12L · 302 B
├─ 📁 docs
│ └─ 📝 verification-refactor.md Markdown 326L · 7.5 KB
├─ 📁 hooks
│ ├─ 📝 HOOK.md Markdown 9L · 139 B
│ ├─ 📋 hookpack.json JSON 11L · 248 B
│ └─ 🐍 notify.py Python 20L · 442 B
├─ 📁 scripts
│ ├─ 🐍 deploy_portal.py Python 591L · 19.1 KB
│ └─ 🔧 start.sh Shell 23L · 406 B
├─ 📁 skill
│ ├─ 🐍 bridge.py Python 318L · 11.3 KB
│ ├─ 🐍 client.py Python 129L · 4.0 KB
│ └─ 🐍 start.py Python 193L · 5.1 KB
├─ 📁 src
│ ├─ 📁 static
│ │ ├─ 📄 admin.html HTML 772L · 36.4 KB
│ │ └─ 📄 index.html HTML 290L · 16.8 KB
│ └─ 🐍 main.py Python 1072L · 33.5 KB
├─ 🐍 auto_install.py Python 294L · 8.2 KB
├─ 📋 client_status.json JSON 1L · 109 B
├─ 🐍 client.py Python 434L · 16.0 KB
├─ 📝 CONFIG.md Markdown 152L · 4.1 KB
├─ 📝 DEPLOY.md Markdown 306L · 5.1 KB
├─ 🐍 install.py Python 526L · 18.1 KB
├─ 🐍 notify_server.py Python 85L · 2.4 KB
├─ 🔧 package.sh Shell 48L · 1.5 KB
├─ 📝 README.md Markdown 181L · 3.5 KB
├─ 📄 requirements.txt Text 13L · 240 B
├─ 🐍 send.py Python 176L · 5.0 KB
├─ 🔧 setup.sh Shell 206L · 5.1 KB
├─ 📋 skill_status.json JSON 1L · 144 B
├─ 📝 SKILL.md Markdown 207L · 5.1 KB
└─ 🐍 webhook_server.py Python 63L · 1.7 KB

Dependencies 10 items

PackageVersionSourceKnown VulnsNotes
fastapi >=0.100.0 pip No Version not pinned - supply chain risk
uvicorn >=0.23.0 pip No Version not pinned - supply chain risk
paramiko >=3.3.0 pip No Version not pinned - supply chain risk
websocket-client >=1.6.0 pip No Version not pinned - supply chain risk
requests >=2.31.0 pip No Version not pinned - supply chain risk
websockets >=11.0 pip No Version not pinned - supply chain risk
python-jose >=3.3.0 pip No Version not pinned - supply chain risk
python-multipart >=0.0.6 pip No Version not pinned - supply chain risk
psutil * pip No Version not pinned - supply chain risk
aiohttp * pip No Version not pinned - used in notify_server.py

Security Positives

✓ Security notes in CONFIG.md clearly document credential risk levels and recommend dedicated SSH keys
✓ Message approval workflow requires explicit owner consent before adding contacts
✓ WebSocket communication uses SSL context with cert verification on the Bridge side
✓ SKILL.md declares SSH and VPS deployment capabilities in metadata
✓ Code is open source and available for community audit on GitHub
✓ Uses urllib.request instead of subprocess for internal HTTP calls in bridge.py
✓ Credential storage uses Bearer token pattern rather than embedding secrets in URLs