安全决策报告
aibtc
The skill downloads and executes untrusted remote npm code via npx with no version pinning or hash verification, while the SKILL.md downplays VirusTotal flags as false positives rather than genuine warnings.
最直接的威胁证据
01
User installs skill via SKILL.md instructions (npx clawhub install aibtc) 初始入口 · SKILL.md
02
User runs 'aibtc run <BSC address>' which triggers handler.js 权限提升 · handler.js
03
handler.js spawns 'npx --yes aibtc-worker <address>' which downloads and executes arbitrary remote npm package code 权限提升 · handler.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 4 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 2 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
User installs skill via SKILL.md instructions (npx clawhub install aibtc)
初始入口 · SKILL.md:24
02
User runs 'aibtc run <BSC address>' which triggers handler.js
权限提升 · handler.js:14
03
handler.js spawns 'npx --yes aibtc-worker <address>' which downloads and executes arbitrary remote npm package code
权限提升 · handler.js:33
04
Malicious npm package maintainer (or typosquatter) replaces 'aibtc-worker' with code that harvests BSC private keys, wallet credentials, or exfiltrates system data
最终危害 · N/A
风险分是怎么被拉高的
Remote code execution via unpinned npx +35
handler.js spawns 'npx --yes aibtc-worker' with no version pin, no hash verification, and no lockfile — executes arbitrary remote code from npm registry
Undeclared shell execution +15
Uses spawn() and execSync() for shell operations; shell:WRITE capability not declared in capability model mapping
Security warning dismissal +10
SKILL.md explicitly dismisses VirusTotal flags as false positives, which is a known social engineering technique used by malware authors
State file persistence +8
Writes worker state to aibtc-worker.json in current directory, allowing process tracking across invocations
最关键的证据
高危 供应链
Unpinned Remote Code Execution via npx
handler.js spawns 'npx --yes aibtc-worker' with no version pin, tag, or hash. This downloads and executes arbitrary code from the npm registry, which can be updated at any time to inject malicious code.
handler.js:33 Remove this skill immediately. Remote code execution via unpinned npm packages is a critical supply chain risk. If a mining tool is truly needed, download and audit the binary/source code with pinned hash verification.
高危 文档欺骗
SKILL.md Disclaims Security Warnings Instead of Addressing Them
The disclaimer section explicitly tells users that VirusTotal flags are false positives due to npx behavior. This is a known social engineering pattern where malware authors preemptively warn against security tools to reduce scrutiny.
SKILL.md:41 Legitimate open-source projects do not include pre-emptive VirusTotal disclaimers in skill documentation. This pattern is used to discourage users from investigating security concerns.
中危 敏感访问
Undeclared Shell Execution via execSync
handler.js uses execSync to run 'ps aux | grep aibtc-worker' to detect running processes. This shell execution is not declared in SKILL.md's capability section and requires shell:WRITE access.
handler.js:65 Declare shell execution capabilities in SKILL.md and document why process detection requires grep rather than using Node.js process management APIs.
中危 供应链
No Dependency Pinning or Hash Verification
The skill relies on 'aibtc-worker' from npm with no version, tag, or commit hash specified. The package can be updated, replaced with typosquatted variants, or compromised at any time.
handler.js:33 If the package must be used, pin to a specific version (e.g., [email protected]) and verify the package integrity with npm audit and checksums.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
handler.js:33 spawn() executes npx commands; handler.js:65 execSync() runs ps/grep 文件系统 阻止
声明 NONE
→ 推断 WRITE
handler.js:40 writeFileSync(); handler.js:52 readFileSync(); handler.js:59 unlinkSync() 网络访问 阻止
声明 NONE
→ 推断 READ
npx --yes aibtc-worker fetches and executes remote npm package 可疑产物与外联
中危 外部 URL
https://aibtc.work SKILL.md:17
中危 外部 URL
https://x.com/aibtc_ SKILL.md:18
中危 外部 URL
https://t.me/aibtcchat SKILL.md:19
中危 外部 URL
https://t.me/aibtc_ann SKILL.md:20
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| aibtc-worker | unpinned (latest) | npm | 否 | No version, tag, or hash specified. Package fetched and executed blindly. |
文件构成
3 个文件 · 193 行
JavaScript 1 个文件 · 97 行Markdown 1 个文件 · 89 行JSON 1 个文件 · 7 行
需关注文件 · 2
SKILL.md SKILL.md Disclaims Security Warnings Instead of Addressing Them · https://aibtc.work · https://x.com/aibtc_ · https://t.me/aibtcchat · https://t.me/aibtc_ann
handler.js Unpinned Remote Code Execution via npx · Undeclared Shell Execution via execSync · No Dependency Pinning or Hash Verification
其他文件 · _meta.json
安全亮点
Source code is claimed to be open-source at github.com/aibtcwork/AIBTC-worker, allowing independent audit (though the remote npm execution negates this trust signal)
No obvious credential harvesting code visible in handler.js
State file operations are scoped to a local JSON file