安全决策报告
agent-p2p
Agent P2P skill contains hardcoded credentials, insecure remote deployment patterns, and supply chain vulnerabilities through unpinned dependencies and external GitHub code retrieval.
最直接的威胁证据
01
User installs skill and provides SSH credentials for VPS deployment delivery · install.py
02
Skill clones code from external GitHub without integrity verification delivery · scripts/deploy_portal.py
03
Unpinned dependencies allow supply chain injection via version upgrade 权限提升 · requirements.txt
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 18 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
发现 10 项需要关注的依赖或供应链线索。
攻击链
01
User installs skill and provides SSH credentials for VPS deployment
delivery · install.py:105
02
Skill clones code from external GitHub without integrity verification
delivery · scripts/deploy_portal.py:184
03
Unpinned dependencies allow supply chain injection via version upgrade
权限提升 · requirements.txt:1
04
SSH executes arbitrary shell scripts on remote VPS with root privileges
权限提升 · auto_install.py:82
05
Hardcoded admin password 'AgentP2P2024' creates backdoor if not changed
最终危害 · scripts/deploy_portal.py:262
风险分是怎么被拉高的
Hardcoded credential in deployment script +25
deploy_portal.py line 262 hardcodes htpasswd admin password 'AgentP2P2024' for Nginx admin protection
Remote code execution through SSH deployment +20
auto_install.py and deploy_portal.py SSH into VPS and execute arbitrary shell scripts, cloning from external GitHub
Supply chain risk - unpinned dependencies +15
requirements.txt uses unpinned versions (e.g., 'fastapi>=0.100.0', 'paramiko>=3.3.0') enabling dependency hijacking
Undeclared shell execution via subprocess +15
subprocess.Popen/run used throughout (install.py, auto_install.py, start.py) - only partially declared in SKILL.md
External GitHub repository pull +10
Deploy scripts clone from https://github.com/yananli199307-dev/AgentPortal-p2p-skill with no integrity verification
Subprocess with shell=True +5
auto_install.py uses shell=True in subprocess.run calls, enabling shell injection
最关键的证据
高危
Hardcoded default password for admin backend
The deploy_portal.py script creates an Nginx htpasswd file with hardcoded credentials: username 'admin', password 'AgentP2P2024'. While this is for the admin backend on a self-hosted VPS, it creates a backdoor if the user doesn't change the password.
scripts/deploy_portal.py:262 Generate a random password or require user input for the admin password. Never hardcode credentials.
高危
Remote code execution through SSH deployment
auto_install.py and deploy_portal.py use paramiko to SSH into user-provided VPS and execute arbitrary shell scripts. The scripts clone code from an external GitHub repository. This creates significant risk if the VPS credentials or the GitHub repo are compromised.
auto_install.py:82 Use pre-built images or verified deployment packages instead of executing arbitrary shell scripts via SSH. Implement code signing for the external repository.
高危
Unpinned dependencies enable supply chain attacks
requirements.txt specifies dependencies without version pins (fastapi>=0.100.0, paramiko>=3.3.0, websocket-client>=1.6.0, etc.). This allows attackers to inject malicious code through version upgrades.
requirements.txt:1 Pin all dependencies to specific versions. Use a lock file (poetry.lock, Pipfile.lock) or specify exact versions.
高危
External GitHub code pull without integrity verification
deploy_portal.py line 184 clones from 'https://github.com/yananli199307-dev/AgentPortal-p2p-skill.git' with no hash verification, no signed commits check, and no pinned commit/tag.
scripts/deploy_portal.py:184 Pin to a specific tag/commit hash. Implement GPG verification for git tags.
中危
Undeclared subprocess shell execution
install.py and auto_install.py use subprocess.run with shell=True and shell=True string commands. SKILL.md does not explicitly declare the use of subprocess for VPS management.
auto_install.py:82 Use explicit argument lists (shell=False) instead of shell=True. Declare subprocess usage explicitly in SKILL.md capabilities section.
中危
Database access not declared in SKILL.md
The skill creates and manages a SQLite database at /opt/agent-p2p/data/portal.db on the VPS, and manages local state files. This is not declared in the SKILL.md capability declaration.
scripts/deploy_portal.py:340 Declare database:WRITE in the skill capabilities metadata.
中危
SSH key access to ~/.ssh directory not explicitly declared
The skill accesses SSH private keys from ~/.ssh/ for VPS deployment. While SSH is declared, the specific path ~/.ssh/id_rsa (default) is not mentioned.
install.py:105 Explicitly document ~/.ssh key access in SKILL.md security notes.
低危
Silent dependency installation without user consent
SKILL.md metadata claims 'auto: true' for installation, meaning the skill auto-installs dependencies. While the openclaw metadata warns about this, the user is not prompted per-action as claimed.
SKILL.md:10 Ensure each installation action is confirmed by the user as stated in the metadata.
还有 2 项发现未展开显示
声明能力 vs 实际能力
命令执行 通过
声明 WRITE
→ 推断 WRITE
SKILL.md metadata declares bins: [ssh]; deploy_portal.py uses paramiko SSH 文件系统 通过
声明 WRITE
→ 推断 WRITE
SKILL.md declares file writes to ~/.openclaw/gateway.env; confirmed in install.py line 180, start.py line 95 网络访问 通过
声明 READ
→ 推断 WRITE
bridge.py POSTs to external URL; deploy_portal.py clones from external GitHub 环境变量 通过
声明 READ
→ 推断 WRITE
skill/bridge.py reads env vars; install.py writes to gateway.env 技能调用 通过
声明 NONE
→ 推断 NONE
No skill invocation found 剪贴板 通过
声明 NONE
→ 推断 NONE
No clipboard access found 浏览器 通过
声明 NONE
→ 推断 NONE
No browser access found 数据库 阻止
声明 NONE
→ 推断 WRITE
src/main.py and deploy_portal.py create/modify SQLite DB at /opt/agent-p2p/data/portal.db - not declared in SKILL.md 可疑产物与外联
中危 外部 URL
https://agent.example.com CONFIG.md:73
中危 外部 URL
https://your-domain.com CONFIG.md:87
中危 外部 URL
http://127.0.0.1:18789 CONFIG.md:88
中危 外部 URL
http://127.0.0.1:18789/hooks/wake CONFIG.md:146
中危 外部 URL
https://your-domain.com/api/portal/info DEPLOY.md:277
中危 外部 URL
https://your-domain.com/api/contacts README.md:98
中危 外部 URL
https://friend-domain.com SKILL.md:100
中危 外部 URL
https://your-domain.com/static/admin.html SKILL.md:143
中危 外部 URL
https://your-portal.com client/configure.py:29
中危 外部 URL
https://your-domain.com) client.py:12
中危 外部 URL
http://127.0.0.1:18789\n install.py:405
中危 外部 URL
http://127.0.0.1:8081 notify_server.py:77
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| fastapi | >=0.100.0 | pip | 否 | Version not pinned - supply chain risk |
| uvicorn | >=0.23.0 | pip | 否 | Version not pinned - supply chain risk |
| paramiko | >=3.3.0 | pip | 否 | Version not pinned - supply chain risk |
| websocket-client | >=1.6.0 | pip | 否 | Version not pinned - supply chain risk |
| requests | >=2.31.0 | pip | 否 | Version not pinned - supply chain risk |
| websockets | >=11.0 | pip | 否 | Version not pinned - supply chain risk |
| python-jose | >=3.3.0 | pip | 否 | Version not pinned - supply chain risk |
| python-multipart | >=0.0.6 | pip | 否 | Version not pinned - supply chain risk |
| psutil | * | pip | 否 | Version not pinned - supply chain risk |
| aiohttp | * | pip | 否 | Version not pinned - used in notify_server.py |
文件构成
35 个文件 · 7039 行
Python 17 个文件 · 4434 行Markdown 7 个文件 · 1225 行HTML 2 个文件 · 1062 行Shell 3 个文件 · 277 行JSON 4 个文件 · 25 行Text 2 个文件 · 16 行
需关注文件 · 6
scripts/deploy_portal.py Hardcoded default password for admin backend · External GitHub code pull without integrity verification · Database access not declared in SKILL.md
install.py SSH key access to ~/.ssh directory not explicitly declared · http://127.0.0.1:18789\n
client.py https://your-domain.com)
auto_install.py Remote code execution through SSH deployment · Undeclared subprocess shell execution
SKILL.md Silent dependency installation without user consent · https://friend-domain.com · https://your-domain.com/static/admin.html
setup.sh https://mirrors.aliyun.com/pypi/simple/ · http://127.0.0.1:18789/health
其他文件 · admin.html · main.py · index.html · bridge.py · client.py · verification-refactor.md
安全亮点
Security notes in CONFIG.md clearly document credential risk levels and recommend dedicated SSH keys
Message approval workflow requires explicit owner consent before adding contacts
WebSocket communication uses SSL context with cert verification on the Bridge side
SKILL.md declares SSH and VPS deployment capabilities in metadata
Code is open source and available for community audit on GitHub
Uses urllib.request instead of subprocess for internal HTTP calls in bridge.py
Credential storage uses Bearer token pattern rather than embedding secrets in URLs