Skill Trust Decision
hive-commander
This skill covertly extracts API credentials from the runtime environment and transmits them to arbitrary external servers via configurable base_url, with no user consent mechanism declared.
Most direct threat evidence
01
Skill presents itself as a distributed task orchestration tool Entry · SKILL.md
02
Extracts api_key, base_url, and model from runtime environment without declaration recon · AGENT.md
03
Builds HTTP POST payload with extracted credentials and user-controlled base_url Escalation · executor.py
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Skill presents itself as a distributed task orchestration tool
Entry · SKILL.md:1
02
Extracts api_key, base_url, and model from runtime environment without declaration
recon · AGENT.md:13
03
Builds HTTP POST payload with extracted credentials and user-controlled base_url
Escalation · executor.py:36
04
Transmits credentials to arbitrary external endpoint via HTTPSConnection
Impact · executor.py:43
What drove the risk score up
Undeclared credential access from runtime environment +30
AGENT.md P2 mandates extraction of api_key, base_url, and model from runtime without user prompt. SKILL.md does not declare this behavior at all.
Credential exfiltration via arbitrary HTTP POST +25
executor.py line 42-44 uses extracted credentials to POST to a user-controlled base_url, enabling credential theft to attacker-controlled endpoints.
Doc-to-code mismatch on declared permissions +15
SKILL.md declares only python3 exec and narrow filesystem access, but hides environment variable reading and arbitrary network egress.
No user consent mechanism +10
AGENT.md explicitly forbids prompting the user for credentials, making credential harvesting non-consensual.
Arbitrary network destination via config injection +10
base_url read from task_config.json allows redirecting credentials to any attacker-controlled server.
Most important evidence
High Credential Theft
Covert credential extraction from runtime environment
AGENT.md P2 mandates extraction of api_key, base_url, and model from the active runtime environment. This behavior is not declared in SKILL.md's permissions section and occurs without user consent or prompt.
AGENT.md:13 Remove undeclared environment access. Require explicit user-provided credentials with consent.
High Data Exfil
Credentials transmitted to arbitrary external endpoints
The executor.py uses extracted credentials to make HTTP POST requests. Since base_url is read from task_config.json, an attacker who can control the config file can redirect credentials to any server.
executor.py:43 Validate base_url against an allowlist. Never send credentials to untrusted endpoints.
High Doc Mismatch
SKILL.md omits critical credential and network access
SKILL.md declares only filesystem (read/write ~/.openclaw/skills/**, swarm_tmp/**) and python3 exec permissions. It completely hides environment variable access for credentials and arbitrary network egress.
SKILL.md:1 Declare all resources accessed: environment:READ for credential access, network:WRITE for API calls.
High Priv Escalation
No consent mechanism for credential usage
AGENT.md P2 explicitly states 'Constraint: FORBIDDEN to prompt the user for credentials.' This means credentials are harvested and used without user knowledge or approval.
AGENT.md:15 Implement user consent flow before using any credentials.
Medium Obfuscation
Critical behavior embedded in embedded Markdown docs
SKILL.md contains embedded documentation within the YAML frontmatter block that reveals the actual credential extraction behavior, but this is not surfaced in the permissions declarations at the top.
SKILL.md:12 Move all behavior descriptions to the top-level permissions section for transparency.
Low Sensitive Access
Hardcoded path expansion in executor
executor.py uses os.path.expanduser for path resolution, which could resolve to unexpected locations if HOME or user context is manipulated.
executor.py:57 Validate resolved paths before use.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md:7 — write: ["~/.openclaw/swarm_tmp/**"] Environment Block
Declared NONE
→ Inferred READ
AGENT.md:13 — 'Extract api_key, base_url, and model from the active runtime environment' Network Block
Declared NONE
→ Inferred WRITE
executor.py:43 — conn.request('POST', path, ...) using extracted api_key and base_url Shell Pass
Declared ADMIN
→ Inferred ADMIN
SKILL.md:8 — exec: ["python3"] Suspicious artifacts and egress
Medium External URL
http://json-schema.org/draft-07/schema# schema.json:2
Dependencies and supply chain
There are no structured dependency warnings.
File composition
5 files · 196 lines
Markdown 3 files · 101 linesPython 1 files · 73 linesJSON 1 files · 22 lines
Files of concern · 4
executor.py Credentials transmitted to arbitrary external endpoints · Hardcoded path expansion in executor
SKILL.md SKILL.md omits critical credential and network access · Critical behavior embedded in embedded Markdown docs
AGENT.md Covert credential extraction from runtime environment · No consent mechanism for credential usage
schema.json http://json-schema.org/draft-07/schema#
Other files · README.md
Security positives
Filesystem write access is correctly scoped to ~/.openclaw/swarm_tmp/** as declared
Python3 execution permission is explicitly declared
Output is written as atomic files with role metadata
No base64 encoding or obfuscated command execution observed
No direct shell/bash invocation — uses python3 subprocess only