Skill Trust Decision
agent-p2p
Agent P2P skill contains hardcoded credentials, insecure remote deployment patterns, and supply chain vulnerabilities through unpinned dependencies and external GitHub code retrieval.
Most direct threat evidence
01
User installs skill and provides SSH credentials for VPS deployment delivery · install.py
02
Skill clones code from external GitHub without integrity verification delivery · scripts/deploy_portal.py
03
Unpinned dependencies allow supply chain injection via version upgrade Escalation · requirements.txt
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
18 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
10 dependency or supply-chain issues need attention.
Attack Chain
01
User installs skill and provides SSH credentials for VPS deployment
delivery · install.py:105
02
Skill clones code from external GitHub without integrity verification
delivery · scripts/deploy_portal.py:184
03
Unpinned dependencies allow supply chain injection via version upgrade
Escalation · requirements.txt:1
04
SSH executes arbitrary shell scripts on remote VPS with root privileges
Escalation · auto_install.py:82
05
Hardcoded admin password 'AgentP2P2024' creates backdoor if not changed
Impact · scripts/deploy_portal.py:262
What drove the risk score up
Hardcoded credential in deployment script +25
deploy_portal.py line 262 hardcodes htpasswd admin password 'AgentP2P2024' for Nginx admin protection
Remote code execution through SSH deployment +20
auto_install.py and deploy_portal.py SSH into VPS and execute arbitrary shell scripts, cloning from external GitHub
Supply chain risk - unpinned dependencies +15
requirements.txt uses unpinned versions (e.g., 'fastapi>=0.100.0', 'paramiko>=3.3.0') enabling dependency hijacking
Undeclared shell execution via subprocess +15
subprocess.Popen/run used throughout (install.py, auto_install.py, start.py) - only partially declared in SKILL.md
External GitHub repository pull +10
Deploy scripts clone from https://github.com/yananli199307-dev/AgentPortal-p2p-skill with no integrity verification
Subprocess with shell=True +5
auto_install.py uses shell=True in subprocess.run calls, enabling shell injection
Most important evidence
High
Hardcoded default password for admin backend
The deploy_portal.py script creates an Nginx htpasswd file with hardcoded credentials: username 'admin', password 'AgentP2P2024'. While this is for the admin backend on a self-hosted VPS, it creates a backdoor if the user doesn't change the password.
scripts/deploy_portal.py:262 Generate a random password or require user input for the admin password. Never hardcode credentials.
High
Remote code execution through SSH deployment
auto_install.py and deploy_portal.py use paramiko to SSH into user-provided VPS and execute arbitrary shell scripts. The scripts clone code from an external GitHub repository. This creates significant risk if the VPS credentials or the GitHub repo are compromised.
auto_install.py:82 Use pre-built images or verified deployment packages instead of executing arbitrary shell scripts via SSH. Implement code signing for the external repository.
High
Unpinned dependencies enable supply chain attacks
requirements.txt specifies dependencies without version pins (fastapi>=0.100.0, paramiko>=3.3.0, websocket-client>=1.6.0, etc.). This allows attackers to inject malicious code through version upgrades.
requirements.txt:1 Pin all dependencies to specific versions. Use a lock file (poetry.lock, Pipfile.lock) or specify exact versions.
High
External GitHub code pull without integrity verification
deploy_portal.py line 184 clones from 'https://github.com/yananli199307-dev/AgentPortal-p2p-skill.git' with no hash verification, no signed commits check, and no pinned commit/tag.
scripts/deploy_portal.py:184 Pin to a specific tag/commit hash. Implement GPG verification for git tags.
Medium
Undeclared subprocess shell execution
install.py and auto_install.py use subprocess.run with shell=True and shell=True string commands. SKILL.md does not explicitly declare the use of subprocess for VPS management.
auto_install.py:82 Use explicit argument lists (shell=False) instead of shell=True. Declare subprocess usage explicitly in SKILL.md capabilities section.
Medium
Database access not declared in SKILL.md
The skill creates and manages a SQLite database at /opt/agent-p2p/data/portal.db on the VPS, and manages local state files. This is not declared in the SKILL.md capability declaration.
scripts/deploy_portal.py:340 Declare database:WRITE in the skill capabilities metadata.
Medium
SSH key access to ~/.ssh directory not explicitly declared
The skill accesses SSH private keys from ~/.ssh/ for VPS deployment. While SSH is declared, the specific path ~/.ssh/id_rsa (default) is not mentioned.
install.py:105 Explicitly document ~/.ssh key access in SKILL.md security notes.
Low
Silent dependency installation without user consent
SKILL.md metadata claims 'auto: true' for installation, meaning the skill auto-installs dependencies. While the openclaw metadata warns about this, the user is not prompted per-action as claimed.
SKILL.md:10 Ensure each installation action is confirmed by the user as stated in the metadata.
2 more findings are not expanded here
Declared capability vs actual capability
Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md metadata declares bins: [ssh]; deploy_portal.py uses paramiko SSH Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md declares file writes to ~/.openclaw/gateway.env; confirmed in install.py line 180, start.py line 95 Network Pass
Declared READ
→ Inferred WRITE
bridge.py POSTs to external URL; deploy_portal.py clones from external GitHub Environment Pass
Declared READ
→ Inferred WRITE
skill/bridge.py reads env vars; install.py writes to gateway.env Skill Invoke Pass
Declared NONE
→ Inferred NONE
No skill invocation found Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access found Browser Pass
Declared NONE
→ Inferred NONE
No browser access found Database Block
Declared NONE
→ Inferred WRITE
src/main.py and deploy_portal.py create/modify SQLite DB at /opt/agent-p2p/data/portal.db - not declared in SKILL.md Suspicious artifacts and egress
Medium External URL
https://agent.example.com CONFIG.md:73
Medium External URL
https://your-domain.com CONFIG.md:87
Medium External URL
http://127.0.0.1:18789 CONFIG.md:88
Medium External URL
http://127.0.0.1:18789/hooks/wake CONFIG.md:146
Medium External URL
https://your-domain.com/api/portal/info DEPLOY.md:277
Medium External URL
https://your-domain.com/api/contacts README.md:98
Medium External URL
https://friend-domain.com SKILL.md:100
Medium External URL
https://your-domain.com/static/admin.html SKILL.md:143
Medium External URL
https://your-portal.com client/configure.py:29
Medium External URL
https://your-domain.com) client.py:12
Medium External URL
http://127.0.0.1:18789\n install.py:405
Medium External URL
http://127.0.0.1:8081 notify_server.py:77
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| fastapi | >=0.100.0 | pip | No | Version not pinned - supply chain risk |
| uvicorn | >=0.23.0 | pip | No | Version not pinned - supply chain risk |
| paramiko | >=3.3.0 | pip | No | Version not pinned - supply chain risk |
| websocket-client | >=1.6.0 | pip | No | Version not pinned - supply chain risk |
| requests | >=2.31.0 | pip | No | Version not pinned - supply chain risk |
| websockets | >=11.0 | pip | No | Version not pinned - supply chain risk |
| python-jose | >=3.3.0 | pip | No | Version not pinned - supply chain risk |
| python-multipart | >=0.0.6 | pip | No | Version not pinned - supply chain risk |
| psutil | * | pip | No | Version not pinned - supply chain risk |
| aiohttp | * | pip | No | Version not pinned - used in notify_server.py |
File composition
35 files · 7039 lines
Python 17 files · 4434 linesMarkdown 7 files · 1225 linesHTML 2 files · 1062 linesShell 3 files · 277 linesJSON 4 files · 25 linesText 2 files · 16 lines
Files of concern · 6
scripts/deploy_portal.py Hardcoded default password for admin backend · External GitHub code pull without integrity verification · Database access not declared in SKILL.md
install.py SSH key access to ~/.ssh directory not explicitly declared · http://127.0.0.1:18789\n
client.py https://your-domain.com)
auto_install.py Remote code execution through SSH deployment · Undeclared subprocess shell execution
SKILL.md Silent dependency installation without user consent · https://friend-domain.com · https://your-domain.com/static/admin.html
setup.sh https://mirrors.aliyun.com/pypi/simple/ · http://127.0.0.1:18789/health
Other files · admin.html · main.py · index.html · bridge.py · client.py · verification-refactor.md
Security positives
Security notes in CONFIG.md clearly document credential risk levels and recommend dedicated SSH keys
Message approval workflow requires explicit owner consent before adding contacts
WebSocket communication uses SSL context with cert verification on the Bridge side
SKILL.md declares SSH and VPS deployment capabilities in metadata
Code is open source and available for community audit on GitHub
Uses urllib.request instead of subprocess for internal HTTP calls in bridge.py
Credential storage uses Bearer token pattern rather than embedding secrets in URLs