安全决策报告
rewrite_question
Skill claims to only rewrite queries but secretly connects to an external IP (47.77.199.56), embeds a default admin JWT credential, queries a Milvus database, and executes Python subprocesses — all undeclared.
最直接的威胁证据
高危 文档欺骗
Network capability declared as NONE but actual traffic exists SKILL.md declares 'network: NONE' yet rewrite_question.py:472 makes HTTP POST requests to an externally hosted Gemini API at the hardcoded IP 47.77.199.56. The skill description says it only 'rephrases questions' with no mention of LLM API calls or external network communication.
rewrite_question.py:472 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 3 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Hardcoded external IP address +10
47.77.199.56 hardcoded as Gemini API endpoint — no DNS, points to Chinese infrastructure (line 559)
Embedded JWT credential +8
Default admin JWT token (BI-eyJ...Ij8pY) with userId:'admin' and exp 2027-03-13 embedded in code (lines 562-570)
Undeclared network access +10
SKILL.md declares network:NONE but code makes HTTP POST to 47.77.199.56 via httpx
Undeclared database access +8
Connects to Milvus (pymilvus) to fetch QA pairs — not declared in SKILL.md
Undeclared shell/code execution +5
index.js uses child_process.spawn to execute Python; SKILL.md declares no shell access
Hidden QA-bypass functionality +4
Silent SQL output via QA pair matching (Path A) — not mentioned in skill description
最关键的证据
高危 文档欺骗
Network capability declared as NONE but actual traffic exists
SKILL.md declares 'network: NONE' yet rewrite_question.py:472 makes HTTP POST requests to an externally hosted Gemini API at the hardcoded IP 47.77.199.56. The skill description says it only 'rephrases questions' with no mention of LLM API calls or external network communication.
rewrite_question.py:472 Update SKILL.md to declare network:READ for LLM API calls. Consider documenting the external service endpoint.
高危 凭证窃取
Default JWT token embedded in source code
A default JWT token (BI-eyJ...Ij8pY) is hardcoded in _get_gemini_config() containing userId:'admin' and an expiration of March 2027. While this may be an internal service token, embedding credentials in source code is a security risk and could leak in logs or version control.
rewrite_question.py:562 Remove the embedded JWT from source code. Require GEMINI_TOKEN to be set via environment or .env file only.
高危 数据外泄
Hardcoded external IP address for all LLM communication
The Gemini API endpoint defaults to a raw IP address (47.77.199.56) rather than a DNS hostname. This IP is in Chinese address space (47.77.x.x). The base URL is not configurable via SKILL.md or documented, and all queries — potentially including user data and conversation context — are sent to this address.
rewrite_question.py:559 Use a DNS-resolvable hostname instead of a raw IP. Declare the network endpoint in SKILL.md. Consider whether data sent to this external service is within compliance.
中危 权限提升
Undeclared Milvus database access
The skill connects to a Milvus vector database (rewrite_question.py:584-596) to fetch QA pairs. The connection supports user/password authentication. SKILL.md declares database:NONE and no mention of database access anywhere in the documentation.
rewrite_question.py:584 Declare database:READ access in SKILL.md if Milvus access is intentional. Document which Milvus collection is queried and what data is retrieved.
中危 代码执行
Undeclared Python subprocess execution via Node.js wrapper
index.js uses child_process.spawn to execute Python code inline, passing the skill directory and JSON payload as arguments. This is shell/code execution that is not declared in SKILL.md (shell:NONE).
index.js:62 Document the shell:WRITE capability if subprocess execution is intentional, or refactor to use a different IPC mechanism.
中危 文档欺骗
Hidden SQL bypass via QA pair matching not documented
Path A (rewrite_question.py:227-237) silently outputs SQL when a user query matches a QA pair in Milvus — bypassing the normal rewriting flow entirely. The rewritten query is unchanged, but matched_sql contains a full SQL statement. This 'shortcut' behavior is not described in SKILL.md.
rewrite_question.py:227 Document the QA pair matching behavior in SKILL.md, including that SQL can be directly output.
低危 供应链
No dependency pinning — uses httpx, pymilvus, python-dotenv without versions
No requirements.txt, pyproject.toml, or package.json exists. The code imports httpx, pymilvus, python-dotenv with no version constraints, making it vulnerable to dependency confusion or supply chain attacks.
rewrite_question.py:1 Create a requirements.txt or pyproject.toml with pinned versions for all dependencies.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 WRITE
index.js:61 — writes JSON output to file via Python subprocess 网络访问 阻止
声明 NONE
→ 推断 WRITE
rewrite_question.py:472 — httpx.Client POST to http://47.77.199.56; SKILL.md:network:NONE 命令执行 阻止
声明 NONE
→ 推断 WRITE
index.js:62 — spawn(PYTHON_BIN, ['-c', script, skillDir]) 环境变量 通过
声明 NONE
→ 推断 READ
rewrite_question.py:556 — os.getenv for GEMINI_API_KEY, MILVUS_HOST, MILVUS_PASSWORD 技能调用 通过
声明 NONE
→ 推断 NONE
No cross-skill invocation found 剪贴板 通过
声明 NONE
→ 推断 NONE
No clipboard access 浏览器 通过
声明 NONE
→ 推断 NONE
No browser access 数据库 阻止
声明 NONE
→ 推断 WRITE
rewrite_question.py:584-596 — PyMilvusClient query() reads from Milvus; supports user/password auth 可疑产物与外联
高危 IP 地址
47.77.199.56 rewrite_question.py:559
中危 外部 URL
http://47.77.199.56/api/v1beta rewrite_question.py:559
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| httpx | unpinned | import | 否 | No requirements.txt or pyproject.toml; httpx version uncontrolled |
| pymilvus | unpinned | import | 否 | Used for Milvus DB access; optional import with try/except |
| python-dotenv | unpinned | import | 否 | Used for .env loading; optional import with try/except |
| asyncio | built-in | stdlib | 否 | Standard library, no risk |
文件构成
3 个文件 · 943 行
Python 1 个文件 · 769 行JavaScript 1 个文件 · 128 行Markdown 1 个文件 · 46 行
需关注文件 · 2
rewrite_question.py Network capability declared as NONE but actual traffic exists · Default JWT token embedded in source code · Hardcoded external IP address for all LLM communication · Undeclared Milvus database access · Hidden SQL bypass via QA pair matching not documented · No dependency pinning — uses httpx, pymilvus, python-dotenv without versions · 47.77.199.56 · http://47.77.199.56/api/v1beta
index.js Undeclared Python subprocess execution via Node.js wrapper
其他文件 · SKILL.md
安全亮点
No base64-encoded payloads piped to shell
No direct credential exfiltration code (credentials sent to intended Gemini API endpoint, not third-party)
No reverse shell, C2, or ransomware patterns found
No cron/scheduled task or persistence mechanisms
No prompt injection instructions in comments
No ~/.ssh, ~/.aws, or .env file reading beyond standard dotenv loading