安全决策报告
Grok Swarm
Grok Swarm skill contains undocumented credential access from OpenClaw auth profiles and shell execution via --execute flag, with unpinned dependencies creating supply chain risk.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared credential access +20
grok_bridge.py reads API keys from OpenClaw auth-profiles.json without declaration in SKILL.md
Undeclared shell execution +20
cli.py --execute flag allows arbitrary shell commands, not documented in SKILL.md
Unpinned dependency +10
openai>=1.0.0 without upper bound allows supply chain compromise
最关键的证据
中危 文档欺骗
Undeclared credential access from OpenClaw auth profiles
grok_bridge.py reads API keys from multiple OpenClaw auth profile locations (~/.openclaw/agents/*/auth-profiles.json) but this credential harvesting behavior is not declared in SKILL.md
bridge/grok_bridge.py:65 Document all credential sources in SKILL.md or limit to explicitly user-configured paths only
中危 代码执行
Undeclared arbitrary shell command execution
cli.py provides --execute/-e flag that runs arbitrary shell commands via subprocess with shell=True. This is powerful RCE capability not mentioned in SKILL.md
bridge/cli.py:130 Either document this capability prominently in SKILL.md or restrict to a whitelist of safe commands
低危 供应链
Unpinned dependency with loose version constraint
install.sh installs openai>=1.0.0 without upper bound or exact version pinning, allowing any future malicious or buggy version
install.sh:47 Pin to specific version: openai==1.60.0 or similar
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 WRITE
SKILL.md states 'File Writing' feature 网络访问 通过
声明 READ
→ 推断 READ
openrouter.ai API calls documented in SKILL.md 命令执行 阻止
声明 NONE
→ 推断 WRITE
cli.py:130 subprocess.run with shell=True for --execute flag 环境变量 阻止
声明 NONE
→ 推断 READ
grok_bridge.py:49 reads OPENROUTER_API_KEY and XAI_API_KEY; reads ~/.openclaw/*/auth-profiles.json 技能调用 通过
声明 NONE
→ 推断 NONE
No skill invocation detected 可疑产物与外联
中危 外部 URL
https://openrouter.ai/api/v1 bridge/grok_bridge.py:29
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| openai | >=1.0.0 | pip | 否 | Version not pinned - major supply chain risk |
文件构成
7 个文件 · 1255 行
Python 3 个文件 · 851 行JavaScript 1 个文件 · 204 行Markdown 1 个文件 · 89 行Shell 1 个文件 · 84 行JSON 1 个文件 · 27 行
需关注文件 · 3
bridge/grok_bridge.py Undeclared credential access from OpenClaw auth profiles · https://openrouter.ai/api/v1
bridge/cli.py Undeclared arbitrary shell command execution
install.sh Unpinned dependency with loose version constraint
其他文件 · apply.py · index.js · SKILL.md · openclaw.plugin.json
安全亮点
Path traversal protection exists in file writing operations via _safe_dest() and relative_to() checks
File writes default to dry-run mode unless --apply flag is explicitly provided
Validates contained paths before writing to prevent directory escape
API calls are to legitimate openrouter.ai endpoint, not hidden C2 infrastructure
Morph LLM integration has path validation before file operations
No base64 encoding, eval(), or obfuscation detected
No direct IP network requests to suspicious destinations