安全决策报告
task-progress-stream
The skill executes arbitrary shell commands through user-controlled input without declaring shell:WRITE capability in SKILL.md, representing a significant undeclared privilege escalation vector.
最直接的威胁证据
01
User invokes skill with --cmd parameter initialization · scripts/task_progress_stream.js
02
Arbitrary command passed to /bin/bash -lc without validation 权限提升 · scripts/task_progress_stream.js
03
Attacker can run: curl|bash from external source, pip install malicious packages, or access system resources 最终危害 · scripts/task_progress_stream.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
User invokes skill with --cmd parameter
initialization · scripts/task_progress_stream.js:265
02
Arbitrary command passed to /bin/bash -lc without validation
权限提升 · scripts/task_progress_stream.js:285
03
Attacker can run: curl|bash from external source, pip install malicious packages, or access system resources
最终危害 · scripts/task_progress_stream.js:285
风险分是怎么被拉高的
Undeclared shell execution capability +30
SKILL.md does not declare that arbitrary commands can be executed via --cmd parameter
Arbitrary command injection risk +25
User-provided --cmd is passed directly to /bin/bash -lc without validation
Privilege escalation via skill context +10
Skill runs commands in the context of the AI agent's permissions
最关键的证据
高危 权限提升
Undeclared shell command execution
The skill accepts a --cmd parameter that is passed directly to /bin/bash without any validation or sanitization. This allows execution of arbitrary shell commands, which is not declared in SKILL.md's allowed tools or capability model.
scripts/task_progress_stream.js:285 Declare shell:WRITE capability in SKILL.md metadata, or restrict to specific safe commands, or implement command allowlisting.
高危 权限提升
No command validation or sanitization
The user-supplied command string is executed verbatim through bash -lc without any checks for dangerous operations (pip install, curl|bash, etc.).
scripts/task_progress_stream.js:285 Implement input validation or use spawn with argument array instead of shell evaluation to prevent command injection.
中危 文档欺骗
Filesystem write operations not declared
The skill writes status JSON, Markdown, and log files to a configurable outDir but this filesystem:WRITE usage is not documented.
scripts/task_progress_stream.js:234 Document filesystem:WRITE usage in SKILL.md or use a temporary directory with auto-cleanup.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/task_progress_stream.js:285 - spawn('/bin/bash', ['-lc', cmd]) 文件系统 阻止
声明 NONE
→ 推断 WRITE
scripts/task_progress_stream.js:279-281 - creates outDir and status files 网络访问 通过
声明 NONE
→ 推断 NONE
openclaw gateway call is local IPC only 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 528 行
JavaScript 1 个文件 · 473 行Markdown 1 个文件 · 55 行
需关注文件 · 1
scripts/task_progress_stream.js Undeclared shell command execution · No command validation or sanitization · Filesystem write operations not declared
其他文件 · SKILL.md
安全亮点
No credential harvesting - script does not read API keys, tokens, or passwords
No data exfiltration - only local IPC with openclaw gateway, no external network requests
No obfuscation - code is readable JavaScript without base64 or eval() tricks
No malicious dependencies - no package.json with untrusted packages
Progress parsing is legitimate functionality as documented