安全决策报告
promptbuddy
Skill is documentation-only with no implementation files, yet declares execution of an external Python script that doesn't exist in the package, creating an unverified execution vector.
最直接的威胁证据
01
User installs skill expecting prompt optimization 初始入口 · SKILL.md
02
Attacker places malicious script at ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py preparation · SKILL.md
03
Skill executes external Python script on every user input 代码执行 · SKILL.md
为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
User installs skill expecting prompt optimization
初始入口 · SKILL.md:1
02
Attacker places malicious script at ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py
preparation · SKILL.md:8
03
Skill executes external Python script on every user input
代码执行 · SKILL.md:8
04
Malicious script can exfiltrate data, execute arbitrary code, or harvest credentials
最终危害 · ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py
风险分是怎么被拉高的
Undeclared external script execution +20
SKILL.md instructs execution of scripts/smart_engine.py but no such file exists in the package
No implementation code present +15
Package contains only documentation; actual behavior comes from unverifiable external source
No permission declarations +10
No allowed-tools section or declared resource access
Global forced execution scope +5
Claims to run on every user input with broad operational scope
最关键的证据
高危 文档欺骗
Missing Implementation Files
The skill declares execution of 'scripts/smart_engine.py' but this script does not exist in the package. Users install this skill expecting prompt optimization, but the actual behavior depends entirely on an external script at ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py that could be replaced with arbitrary code.
SKILL.md:8 Either include the script in the package with integrity verification, or remove this skill until proper bundling is implemented.
中危 权限提升
Undeclared Shell Execution
The skill instructs the AI agent to execute shell commands (python3) without declaring shell:WRITE in any allowed-tools section. This is hidden functionality that operates outside the declared capability model.
SKILL.md:8 Declare shell:WRITE permission explicitly if shell execution is required, or remove the execution requirement.
中危 敏感访问
Hardcoded Framework Path Access
The skill references a specific framework installation path (~/.openclaw) without declaring filesystem access to this path. This path could contain sensitive configuration or user data.
SKILL.md:8 Declare filesystem:READ permission for the required paths, or use a sandboxed execution environment.
低危 文档欺骗
No declared allowed-tools section
The SKILL.md lacks a standard 'allowed-tools' section that would declare required permissions. According to the capability model, this should map Bash to shell:WRITE.
SKILL.md:1 Add a proper allowed-tools declaration at the top of SKILL.md.
声明能力 vs 实际能力
命令执行 通过
声明 NONE
→ 推断 WRITE
SKILL.md: Executes 'python3 scripts/smart_engine.py' without declaring shell:WRITE permission 文件系统 通过
声明 NONE
→ 推断 READ
SKILL.md: References ~/.openclaw/workspace/skills/promptbuddy path without permission declaration 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 145 行
Markdown 1 个文件 · 145 行
需关注文件 · 1
SKILL.md Missing Implementation Files · Undeclared Shell Execution · Hardcoded Framework Path Access · No declared allowed-tools section
安全亮点
No malicious code directly present in the package
No credential harvesting observed
No network exfiltration detected in documentation
No base64-encoded payloads or obfuscation techniques found