安全决策报告
monid
The skill instructs users to execute a remote script via curl|bash (a critical high-risk pattern) which could be replaced with a malicious version at any time, and it generates/store API keys locally without declaring credential handling behavior.
最直接的威胁证据
严重 代码执行
Remote script execution via curl|bash from mutable branch The skill instructs users to run 'curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash' in at least 7 locations (lines 26, 31, 61, 75, 83, 98, 126, 137, 160, 163, 184, 201). The 'main' branch of a GitHub repo is mutable — a repo compromise or man-in-the-middle attack can silently replace the script with arbitrary malicious code that executes with the user's full privileges.
SKILL.md:26 为什么得出这个结论
2/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 5 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
User invokes the skill and is prompted to install via curl|bash
初始入口 · SKILL.md:26
02
Malicious actor compromises GitHub repo 'FeiyouG/monid-client' or performs MitM to serve a trojaned install.sh from the mutable 'main' branch
delivery · SKILL.md:26
03
install.sh executes with user privileges, installing arbitrary binaries to ~/.local/bin/monid and potentially adding persistence hooks
代码执行 · SKILL.md:26
04
User runs 'monid auth login' and 'monid keys generate' — the monid binary (supplied by the malicious install) could harvest OAuth tokens, Ed25519 private keys, and store them for exfiltration
凭证访问 · SKILL.md:47
05
API keys, OAuth tokens, and scraped data are exfiltrated to the attacker-controlled backend (monid-cli infrastructure)
最终危害 · SKILL.md:47
风险分是怎么被拉高的
curl|bash remote script execution from mutable branch +40
SKILL.md:26,31,multiple — downloads and executes script from github.com/FeiyouG/monid-client/main/install.sh. The 'main' branch is mutable; an attacker who compromises the repo can serve malicious code to all future users.
No allowed-tools / _meta.json declared +10
The skill declares no allowed tools. Capability model (filesystem, network, shell, etc.) is not declared, making it impossible to audit resource access.
Undeclared credential generation and local storage +12
SKILL.md instructs users to generate Ed25519 API keys via 'monid keys generate' and stores them at ~/.monid/keys/. This sensitive_access and credential_theft behavior is not declared anywhere.
最关键的证据
严重 代码执行
Remote script execution via curl|bash from mutable branch
The skill instructs users to run 'curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash' in at least 7 locations (lines 26, 31, 61, 75, 83, 98, 126, 137, 160, 163, 184, 201). The 'main' branch of a GitHub repo is mutable — a repo compromise or man-in-the-middle attack can silently replace the script with arbitrary malicious code that executes with the user's full privileges.
SKILL.md:26 Replace with pinned binary downloads from a tagged release, or provide SHA256 checksums. Never pipe remote content directly into bash.
严重 权限提升
No allowed-tools declaration in _meta.json
The skill has no _meta.json file and does not declare any allowed tools through the capability model. The capability model (filesystem, network, shell, environment, skill_invoke, clipboard, browser, database × NONE/READ/WRITE/ADMIN) is entirely undeclared, making it impossible to audit what resources this skill actually accesses when invoked.
SKILL.md:1 Add a _meta.json with explicit allowed-tools declarations. Map Bash→shell:WRITE, Read→filesystem:READ, Write→filesystem:WRITE, WebFetch→network:READ as appropriate.
高危 凭证窃取
Undeclared credential generation and local key storage
The skill instructs users to generate API keys via 'monid keys generate --label main' and stores encrypted Ed25519 key pairs locally at ~/.monid/keys/. While these are local keys, the behavior is not declared in any security documentation, and the key generation mechanism runs inside a third-party CLI whose code is never reviewed.
SKILL.md:47 Declare credential generation as a capability. Consider using environment variables or secrets management instead of local file storage for API keys.
高危 文档欺骗
Skill name 'monid' has no verifiable public presence
The skill claims to be a 'agentic payment platform CLI' but the brand 'Monid' / 'monid' has no verifiable public footprint outside this skill. The GitHub repo FeiyouG/monid-client is a single-person repo with no stars and no clear commercial entity behind it. A legitimate commercial scraping service would have verifiable documentation, company registration, and stable distribution channels.
SKILL.md:1 Verify the vendor identity independently. Request documentation of the corporate entity, privacy policy, and data handling practices before using this skill.
高危 供应链
Installation from mutable 'main' branch with no integrity check
The install.sh script is fetched from the 'main' branch with no GPG signature, no pinned commit hash, and no SHA256 verification. Even if the repo is legitimate today, it can be updated with malicious code at any time. The install script also runs with user-level privileges and could install persistence mechanisms.
SKILL.md:26 Download binaries from a specific tagged release (e.g., /releases/download/v1.0.0/monid-linux-x64). Provide SHA256 checksums in the documentation. Add version pinning.
中危 敏感访问
OAuth authentication stores credentials to ~/.monid/
The OAuth login flow saves workspace information to ~/.monid/config.yaml. This file may contain OAuth tokens or session data. Accessing or storing credentials in the user's home directory is sensitive behavior that should be declared.
SKILL.md:38 Declare that the skill accesses the ~/.monid/ directory. Use a permission-gated secrets store instead of plaintext config files in the home directory.
中危 代码混淆
Heavy bundling of documentation to reduce transparency
The references/capabilities.md file (1009 lines) is a reference table that could have been inline in SKILL.md. Separating it makes it harder to audit the full scope of the skill in one pass. This pattern can be used to hide additional instructions from quick reviewers.
references/capabilities.md:1 Keep all skill documentation in a single SKILL.md file. Any additional reference data should be clearly linked and audited together.
声明能力 vs 实际能力
命令执行 通过
声明 NONE
→ 推断 WRITE
SKILL.md:26 — curl -fsSL https://... | bash 网络访问 通过
声明 NONE
→ 推断 READ
SKILL.md:26,31 — raw script download from github.com 文件系统 通过
声明 NONE
→ 推断 WRITE
SKILL.md:38 — stores config to ~/.monid/config.yaml; SKILL.md:47 — stores keys to ~/.monid/keys/ 技能调用 通过
声明 NONE
→ 推断 NONE
No _meta.json; invocation model not declared 可疑产物与外联
严重 危险命令
curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash SKILL.md:26
中危 外部 URL
https://amazon.com/dp/B0123456 SKILL.md:471
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| FeiyouG/monid-client | main (mutable) | github raw script | 否 | CRITICAL: Installs via curl|bash from mutable branch with no integrity verification. The binary is a closed-source third-party tool whose code cannot be audited. |
文件构成
2 个文件 · 1114 行
Markdown 2 个文件 · 1114 行
需关注文件 · 2
SKILL.md Remote script execution via curl|bash from mutable branch · No allowed-tools declaration in _meta.json · Undeclared credential generation and local key storage · Skill name 'monid' has no verifiable public presence · Installation from mutable 'main' branch with no integrity check · OAuth authentication stores credentials to ~/.monid/ · curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash · https://amazon.com/dp/B0123456
references/capabilities.md Heavy bundling of documentation to reduce transparency
安全亮点
The skill describes what platforms it can scrape (X, Instagram, TikTok, LinkedIn, YouTube, Facebook, Amazon, Google) — scope is relatively clear
The skill includes pricing estimates for each capability, showing cost transparency
The skill includes a 'What Monid CANNOT Do' section with constraints
No direct code execution, obfuscation, or exfiltration loops found in the documentation itself
Uses OAuth for authentication rather than password-based login