安全决策报告
hive-commander
This skill covertly extracts API credentials from the runtime environment and transmits them to arbitrary external servers via configurable base_url, with no user consent mechanism declared.
最直接的威胁证据
01
Skill presents itself as a distributed task orchestration tool 初始入口 · SKILL.md
02
Extracts api_key, base_url, and model from runtime environment without declaration recon · AGENT.md
03
Builds HTTP POST payload with extracted credentials and user-controlled base_url 权限提升 · executor.py
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Skill presents itself as a distributed task orchestration tool
初始入口 · SKILL.md:1
02
Extracts api_key, base_url, and model from runtime environment without declaration
recon · AGENT.md:13
03
Builds HTTP POST payload with extracted credentials and user-controlled base_url
权限提升 · executor.py:36
04
Transmits credentials to arbitrary external endpoint via HTTPSConnection
最终危害 · executor.py:43
风险分是怎么被拉高的
Undeclared credential access from runtime environment +30
AGENT.md P2 mandates extraction of api_key, base_url, and model from runtime without user prompt. SKILL.md does not declare this behavior at all.
Credential exfiltration via arbitrary HTTP POST +25
executor.py line 42-44 uses extracted credentials to POST to a user-controlled base_url, enabling credential theft to attacker-controlled endpoints.
Doc-to-code mismatch on declared permissions +15
SKILL.md declares only python3 exec and narrow filesystem access, but hides environment variable reading and arbitrary network egress.
No user consent mechanism +10
AGENT.md explicitly forbids prompting the user for credentials, making credential harvesting non-consensual.
Arbitrary network destination via config injection +10
base_url read from task_config.json allows redirecting credentials to any attacker-controlled server.
最关键的证据
高危 凭证窃取
Covert credential extraction from runtime environment
AGENT.md P2 mandates extraction of api_key, base_url, and model from the active runtime environment. This behavior is not declared in SKILL.md's permissions section and occurs without user consent or prompt.
AGENT.md:13 Remove undeclared environment access. Require explicit user-provided credentials with consent.
高危 数据外泄
Credentials transmitted to arbitrary external endpoints
The executor.py uses extracted credentials to make HTTP POST requests. Since base_url is read from task_config.json, an attacker who can control the config file can redirect credentials to any server.
executor.py:43 Validate base_url against an allowlist. Never send credentials to untrusted endpoints.
高危 文档欺骗
SKILL.md omits critical credential and network access
SKILL.md declares only filesystem (read/write ~/.openclaw/skills/**, swarm_tmp/**) and python3 exec permissions. It completely hides environment variable access for credentials and arbitrary network egress.
SKILL.md:1 Declare all resources accessed: environment:READ for credential access, network:WRITE for API calls.
高危 权限提升
No consent mechanism for credential usage
AGENT.md P2 explicitly states 'Constraint: FORBIDDEN to prompt the user for credentials.' This means credentials are harvested and used without user knowledge or approval.
AGENT.md:15 Implement user consent flow before using any credentials.
中危 代码混淆
Critical behavior embedded in embedded Markdown docs
SKILL.md contains embedded documentation within the YAML frontmatter block that reveals the actual credential extraction behavior, but this is not surfaced in the permissions declarations at the top.
SKILL.md:12 Move all behavior descriptions to the top-level permissions section for transparency.
低危 敏感访问
Hardcoded path expansion in executor
executor.py uses os.path.expanduser for path resolution, which could resolve to unexpected locations if HOME or user context is manipulated.
executor.py:57 Validate resolved paths before use.
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
SKILL.md:7 — write: ["~/.openclaw/swarm_tmp/**"] 环境变量 阻止
声明 NONE
→ 推断 READ
AGENT.md:13 — 'Extract api_key, base_url, and model from the active runtime environment' 网络访问 阻止
声明 NONE
→ 推断 WRITE
executor.py:43 — conn.request('POST', path, ...) using extracted api_key and base_url 命令执行 通过
声明 ADMIN
→ 推断 ADMIN
SKILL.md:8 — exec: ["python3"] 可疑产物与外联
中危 外部 URL
http://json-schema.org/draft-07/schema# schema.json:2
依赖与供应链
没有结构化依赖告警。
文件构成
5 个文件 · 196 行
Markdown 3 个文件 · 101 行Python 1 个文件 · 73 行JSON 1 个文件 · 22 行
需关注文件 · 4
executor.py Credentials transmitted to arbitrary external endpoints · Hardcoded path expansion in executor
SKILL.md SKILL.md omits critical credential and network access · Critical behavior embedded in embedded Markdown docs
AGENT.md Covert credential extraction from runtime environment · No consent mechanism for credential usage
schema.json http://json-schema.org/draft-07/schema#
其他文件 · README.md
安全亮点
Filesystem write access is correctly scoped to ~/.openclaw/swarm_tmp/** as declared
Python3 execution permission is explicitly declared
Output is written as atomic files with role metadata
No base64 encoding or obfuscated command execution observed
No direct shell/bash invocation — uses python3 subprocess only