中文 EN
Start Review
Skill Trust Decision

update-approval-guard (primary) + instreet + 25+ sub-skills (workspace)

Workspace contains a live InStreet API key stored in plaintext across 4 config files, undeclared shell execution in publish.sh, and the Instreet skill lacks declared filesystem/network permissions despite reading configs and making network requests.

Install decision first Source: Manual upload Scanned: Apr 3, 2026
Files 279
Artifacts 224
Violations 4
Findings 5
Most direct threat evidence
High
Live InStreet API Key Stored in Plaintext

The InStreet/Coze API key sk_inst_c7acbeabd3c0c24acac6afb98db3828d is stored in plaintext in 4 files: skills/instreet/config.json, skills/instreet/scripts/config.json, IDENTITY.md, and instreet-config.json. If any of these files are accidentally shared, committed to a public repo, or accessed by a malicious skill, the API key can be stolen. Note: the key is used legitimately by the Instreet heartbeat script, but the storage pattern is a significant security concern.

skills/instreet/config.json:4

Why this conclusion was reached

3/4 dimensions flagged
Block
Declared vs actual capability

4 undeclared or violating capabilities were inferred.

Block
Hidden execution and egress

3 high-risk artifacts or egress signals were extracted.

Block
Attack chain and severe findings

The report includes 0 attack-chain steps and 2 severe findings.

Pass
Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

What drove the risk score up

Live API key in plaintext +20

InStreet API key sk_inst_c7acbeabd3c0c24acac6afb98db3828d appears in 4 plaintext files (skills/instreet/config.json, skills/instreet/scripts/config.json, IDENTITY.md, instreet-config.json). While the key is used legitimately by the heartbeat script, storing credentials in plaintext across multiple locations creates significant exfiltration risk.

Undeclared shell execution in publish.sh +12

update-approval-guard/publish.sh runs git init, git add/commit/push, gh repo create, clawhub login/publish — all shell:WRITE operations — but these are not declared anywhere in update-approval-guard/SKILL.md or the root SKILL.md.

Destructive shell command in SKILL.md +8

skills/Elite-Longterm-Memory/SKILL.md:293 documents 'rm -rf ~/.openclaw/memory/lancedb/' as a maintenance command. Although documented, it's a broad recursive delete and targets a system directory (~/.openclaw/). Pre-scan misreported this as 'rm -rf ~'; the actual path is more specific but still dangerous.

Undeclared filesystem access in Instreet skill +5

skills/instreet/scripts/heartbeat.mjs reads config.json (filesystem:READ) and makes network requests (network:WRITE) — both undeclared in skills/instreet/SKILL.md. The capability model requires declaration of all resources accessed.

Most important evidence

High

Live InStreet API Key Stored in Plaintext

The InStreet/Coze API key sk_inst_c7acbeabd3c0c24acac6afb98db3828d is stored in plaintext in 4 files: skills/instreet/config.json, skills/instreet/scripts/config.json, IDENTITY.md, and instreet-config.json. If any of these files are accidentally shared, committed to a public repo, or accessed by a malicious skill, the API key can be stolen. Note: the key is used legitimately by the Instreet heartbeat script, but the storage pattern is a significant security concern.

skills/instreet/config.json:4
Store the API key in an environment variable (e.g., INSTREET_API_KEY) and reference it via process.env in scripts. Add .env to .gitignore. Rotate the current key immediately.
High

Undeclared Shell Execution in publish.sh

update-approval-guard/publish.sh executes git commands (init, add, commit, push), gh CLI (repo create), and clawhub CLI (login, publish) — all requiring shell:WRITE permissions. These operations are not declared in any SKILL.md file. The script also prompts for user input interactively, which is a social-engineering risk if executed in an automated context.

update-approval-guard/publish.sh:1
Either remove publish.sh from production, move it to a clearly-marked development-only directory, or declare shell:WRITE and network:WRITE capabilities explicitly in the skill documentation.
Medium

Destructive Recursive Delete in Elite-Longterm-Memory SKILL.md

The maintenance commands section of skills/Elite-Longterm-Memory/SKILL.md at line 293 documents 'rm -rf ~/.openclaw/memory/lancedb/' as a 'nuclear option' to clear vectors. While documented (not hidden), this command is a broad recursive delete targeting a system directory. Additionally, the pre-scan misidentified this as 'rm -rf ~' (user home), which is even more dangerous — this is a scanning accuracy concern worth noting.

skills/Elite-Longterm-Memory/SKILL.md:293
Replace the broad rm -rf with more targeted deletion: 'find ~/.openclaw/memory/lancedb/ -mindepth 1 -delete' or add a confirmation prompt in the documentation. Also clarify the exact scope of what is deleted.
Medium

Hardcoded Internal IP in SOUL.md

A hardcoded IP address 115.190.250.10 for the star-office UI dashboard is embedded in SOUL.md. This is an internal network address (not a public/external IP), so the exfiltration risk is low. However, it represents hardcoded infrastructure assumption that may become invalid if the service moves.

SOUL.md:59
Replace the hardcoded IP with an environment variable (e.g., STAR_OFFICE_UI_URL) or a hostname that can be configured via TOOLS.md.
Low

Example Placeholder API Keys in translate-cli Quickstart

The translate-cli quickstart references example API key names (OPENAI_API_KEY, ANTHROPIC_API_KEY, DEEPL_API_KEY) with placeholder values like 'your_openai_key'. These are clearly example placeholders, not real credentials. This is a documentation false positive — no actual credentials are exposed.

skills/translate-cli/references/quickstart.md:9
No action needed. The values are clearly placeholder examples. Consider adding a comment clarifying these are placeholders.

Declared capability vs actual capability

Filesystem Block
Declared NONE
Inferred READ
skills/instreet/scripts/heartbeat.mjs:15 — reads config.json via readFileSync
Network Block
Declared NONE
Inferred WRITE
skills/instreet/scripts/heartbeat.mjs:30 — POST to /api/v1/upvote, /api/v1/posts/.../comments, etc.
Shell Block
Declared NONE
Inferred WRITE
update-approval-guard/publish.sh — git init/commit/push, gh repo create, clawhub publish (undeclared)
Shell Block
Declared NONE
Inferred WRITE
skills/Elite-Longterm-Memory/SKILL.md:293 — rm -rf ~/.openclaw/memory/lancedb/

Suspicious artifacts and egress

Critical Dangerous Command
rm -rf ~

skills/Elite-Longterm-Memory/SKILL.md:293

High IP Address
115.190.250.10

SOUL.md:59

High API Key
API_KEY="your_anthropic_key"

skills/translate-cli/references/quickstart.md:9

Medium External URL
http://115.190.250.10:19000

SOUL.md:59

Medium External URL
https://feishu.cn/docx/EKn6dmGxsoj4SZxJEbOciyIVnNf

UPDATE-APPROVAL-GUARD-PUBLISH.md:45

Medium External URL
https://feishu.cn/docx/ZU8ZdvND0oHV79xSVe1cbqeinrd

UPDATE-APPROVAL-GUARD-PUBLISH.md:46

Medium External URL
https://docs.clawhub.com

UPDATE-APPROVAL-GUARD-PUBLISH.md:105

Medium External URL
https://docs.openclaw.ai

UPDATE-APPROVAL-GUARD-PUBLISH.md:106

Medium External URL
https://api.z.ai/api/mcp/zread/mcp

config/mcporter.json:4

Medium External URL
https://api.z.ai/api/mcp/web_search_prime/mcp

config/mcporter.json:10

Medium External URL
https://ucn19uuu5wk8.feishu.cn/base/JFWebb76KaFd7as501ac3UIDnxb

docs/industry_news_README.md:51

Medium External URL
https://instreet.coze.site

instreet-config.json:9

Dependencies and supply chain

PackageVersionSourceKnown vulnNotes
fetch (built-in Node.js) N/A Node.js built-in No Used for API requests in heartbeat.mjs; no external dependencies
gh CLI unknown system No Used in publish.sh; must be pre-installed on the system
clawhub CLI unknown system No Used in publish.sh; must be pre-installed on the system

File composition

279 files · 41547 lines
Markdown 124 files · 19847 linesPython 27 files · 7903 linesJSON 79 files · 5655 linesJavaScript 21 files · 5137 linesShell 18 files · 2582 linesText 6 files · 252 lines
Files of concern · 7
skills/instreet/config.json JSON · 8 lines
Live InStreet API Key Stored in Plaintext
skills/instreet/scripts/config.json JSON · 7 lines
skills/tech-news-digest/config/defaults/sources.json JSON · 1888 lines
https://simonwillison.net/atom/everything/ · https://garymarcus.substack.com/feed · https://huggingface.co/blog/feed.xml · https://magazine.sebastianraschka.com/feed · https://lilianweng.github.io/index.xml · https://gwern.substack.com/feed · https://www.dwarkeshpatel.com/feed · https://minimaxir.com/index.xml · https://blog.google/technology/ai/rss/ · https://vitalik.eth.limo/feed.xml · https://www.coindesk.com/arc/outboundfeeds/rss/ · https://www.theblock.co/rss.xml · https://decrypt.co/feed · https://cointelegraph.com/rss · https://hnrss.org/frontpage · https://feeds.arstechnica.com/arstechnica/index · https://techcrunch.com/feed/ · https://www.theverge.com/rss/index.xml · https://krebsonsecurity.com/feed/ · https://daringfireball.net/feeds/main · http://www.aaronsw.com/2002/feeds/pgessays.rss · https://www.troyhunt.com/rss/ · http://antirez.com/rss · https://mitchellh.com/feed.xml · https://geohot.github.io/blog/feed.xml · https://www.reddit.com/r/MachineLearning/.rss · https://36kr.com/feed · https://www.jiqizhixin.com/rss · https://www.qbitai.com/feed · https://www.infoq.cn/feed · https://www.technologyreview.com/feed · https://venturebeat.com/category/ai/feed/ · https://www.404media.co/rss · https://aisnakeoil.substack.com/feed · https://blog.bytebytego.com/feed · https://blogs.nvidia.com/feed/ · https://deepmind.google/blog/rss.xml · https://www.producthunt.com/feed · https://messari.io/rss · https://thedefiant.io/feed · https://www.ifanr.com/feed · https://sspai.com/feed · https://www.wired.com/feed/rss · https://spectrum.ieee.org/feeds/feed.rss · https://www.bensbites.com/feed · https://the-decoder.com/feed/ · https://a16zcrypto.substack.com/feed · https://newsletter.banklesshq.com/feed · https://overreacted.io/rss.xml · https://eli.thegreenplace.net/feeds/all.atom.xml · https://matklad.github.io/feed.xml · https://lucumr.pocoo.org/feed.atom · https://devblogs.microsoft.com/oldnewthing/feed · https://rachelbythebay.com/w/atom.xml · https://xeiaso.net/blog.rss · https://pluralistic.net/feed/ · https://lcamtuf.substack.com/feed · https://buttondown.com/hillelwayne/rss · https://dynomight.net/feed.xml · https://www.geoffreylitt.com/feed.xml · https://fabiensanglard.net/rss.xml
skills/tech-news-digest/scripts/fetch-twitter.py Python · 917 lines
https://api.x.com/2 · https://api.twitterapi.io · https://api.getxapi.com · https://twitter.com/
skills/hiic-industry-daily-report/scripts/generate-report.mjs JavaScript · 991 lines
https://api.search.brave.com/res/v1/web/search
scripts/industry_daily_news.mjs JavaScript · 837 lines
https://api.search.brave.com/res/v1/web/search?q=$
skills/tech-news-digest/SKILL.md Markdown · 536 lines
https://myblog.com/rss
Other files · merge-sources.py · fetch-web.py · fetch-github.py · CHANGELOG.md · SKILL.md

Security positives

The update-approval-guard skill has a well-designed security architecture with explicit approval workflows and never applies updates automatically
skills/instreet/scripts/heartbeat.mjs implements proper rate-limit handling (429 responses with retry delays) showing thoughtful API usage
Proactive-agent skill includes detailed security hardening guidance including skill vetting and agent network warnings
No evidence of base64-encoded payloads, direct IP exfiltration, eval(atob(...)), or other classic obfuscated attack patterns
No evidence of credential harvesting combined with remote exfiltration — the InStreet key is used for its intended platform only
The heartbeat script properly sanitizes API key exposure through Authorization header (Bearer token pattern), not in URLs