安全决策报告
agentcop
AgentCop skill performs undeclared network communication to agentcop.live for badge API operations and uses an undeclared auto-install mechanism with loose version pinning.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Undeclared network communication +15
SKILL.md documents badge commands but does not mention agentcop.live API calls
Undeclared auto-install mechanism +10
skill.py auto-installs agentcop from pip without version pinning; documented in README.md but not in SKILL.md
Loose version constraint +10
agentcop>=0.4,<1 allows any 0.x version, introducing supply chain risk
Undeclared filesystem writes +10
Writes to ~/.openclaw/agentcop/ (events.jsonl, sessions, identity.db) not declared as filesystem:WRITE
最关键的证据
中危 文档欺骗
Undeclared network communication to agentcop.live
Badge subcommands (generate, verify, renew, revoke, status, markdown) contact https://agentcop.live/badge API but this endpoint is not mentioned in SKILL.md. Users are not informed that badge operations involve external network requests.
skill.py:756 Add explicit documentation in SKILL.md stating that badge commands require network access to agentcop.live
中危 供应链
Unpinned dependency with loose version constraint
The auto-install mechanism installs 'agentcop>=0.4,<1' which allows any 0.x version including potentially compromised future releases.
skill.py:52 Pin to a specific version: agentcop==0.4.2
低危 文档欺骗
Auto-install mechanism not documented in SKILL.md
README.md mentions auto-install via pip, but SKILL.md (the primary skill documentation) does not mention this behavior, creating a documentation gap for users reviewing the skill.
SKILL.md:1 Document the pip auto-install behavior in SKILL.md or remove it entirely
低危 权限提升
Implicit filesystem write access not declared
The skill writes state files to ~/.openclaw/agentcop/ (events.jsonl, sessions, identity.db) but does not declare filesystem:WRITE capability.
skill.py:57 Declare filesystem:WRITE in skill metadata
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
skill.py:57-66 writes to _STATE_DIR 网络访问 阻止
声明 NONE
→ 推断 WRITE
skill.py:756-773 POSTs to agentcop.live/badge API 命令执行 阻止
声明 NONE
→ 推断 WRITE
skill.py:50-54 pip install via subprocess 环境变量 阻止
声明 NONE
→ 推断 READ
skill.py:60 reads OPENCLAW_AGENT_ID, AGENTCOP_BADGE_API, AGENTCOP_STATE_DIR 可疑产物与外联
中危 外部 URL
https://agentcop.live README.md:78
中危 外部 URL
https://agentcop.live/badge skill.py:754
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| agentcop | >=0.4,<1 | pip | 否 | Loose version constraint allows any 0.x version - supply chain risk |
文件构成
4 个文件 · 1125 行
Python 1 个文件 · 899 行Markdown 2 个文件 · 203 行JSON 1 个文件 · 23 行
需关注文件 · 3
skill.py Undeclared network communication to agentcop.live · Unpinned dependency with loose version constraint · Implicit filesystem write access not declared · https://agentcop.live/badge
SKILL.md Auto-install mechanism not documented in SKILL.md
README.md https://agentcop.live
其他文件 · package.json
安全亮点
Credential detection patterns are used only for security scanning (LLM06), not exfiltration
Base64 decoding includes safety checks (minimum 8 printable chars)
README.md documents auto-install behavior
SKILL.md provides comprehensive documentation of OWASP LLM Top 10 detection capabilities
No evidence of actual credential theft or data exfiltration beyond declared security scanning
Package.json includes proper metadata, authors, and license information
Exit codes are properly documented