安全决策报告
interactive-infographic
Skill contains hardcoded API key and undeclared data transmission with insufficient documentation about default credential usage.
为什么得出这个结论
0/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Hardcoded fallback API key +15
Default API key '94a05d02-9ade-4d9d-9f39-88734d9e34b4' embedded in cw_client.cjs source code
Undeclared default credential behavior +15
SKILL.md security section vaguely mentions 'anonymous credential' but does not clearly explain its purpose or that it's hardcoded in source
External data transmission +10
User data including API key sent to pptx.chenxitech.site - documented but unclear scope
最关键的证据
中危 凭证窃取
Hardcoded fallback API key in source code
The file cw_client.cjs contains a hardcoded fallback API key '94a05d02-9ade-4d9d-9f39-88734d9e34b4' which serves as a default anonymous credential when the environment variable is not set. This credential is sent with every request to the backend.
scripts/cw_client.cjs:14 Remove hardcoded fallback credentials from source code. If anonymous access is required, implement it server-side without embedding credentials in client code.
中危 文档欺骗
Insufficient documentation of default credential behavior
SKILL.md mentions 'anonymous credential' in the security section but fails to specify that it is a hardcoded key embedded in source code. Users cannot make an informed decision about using this default versus providing their own key.
SKILL.md:120 Add explicit documentation specifying: (1) The exact default key value, (2) When this default is used, (3) Security implications of using anonymous credentials, (4) Why this is acceptable vs credential harvesting.
低危 敏感访问
Non-obvious allowlisted domain
The host allowlist includes 'bpjwmsdb.com' which is not clearly related to the ContextWeave service. While the allowlist provides some protection, this domain warrants verification.
scripts/cw_client.cjs:38 Verify bpjwmsdb.com is a legitimate service endpoint. If unrelated, remove from allowlist to reduce attack surface.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 WRITE
cw_client.cjs:exportCode writes diagram.cw to target path 网络访问 通过
声明 WRITE
→ 推断 WRITE
postJson() makes HTTP POST to allowed hosts 命令执行 通过
声明 NONE
→ 推断 NONE
No subprocess or exec calls found 环境变量 通过
声明 READ
→ 推断 READ
Reads CONTEXTWEAVE_MCP_API_KEY and CONTEXTWEAVE_EDITOR_PROTOCOL 可疑产物与外联
中危 外部 URL
https://pptx.chenxitech.site SKILL.md:177
中危 外部 URL
https://api.contextweave.site cwmcp_config.example.json:2
依赖与供应链
没有结构化依赖告警。
文件构成
9 个文件 · 794 行
JavaScript 6 个文件 · 599 行Markdown 1 个文件 · 180 行JSON 2 个文件 · 15 行
需关注文件 · 3
SKILL.md Insufficient documentation of default credential behavior · https://pptx.chenxitech.site
scripts/cw_client.cjs Hardcoded fallback API key in source code · Non-obvious allowlisted domain
cwmcp_config.example.json https://api.contextweave.site
其他文件 · generate_contextweave.cjs · export_session_asset.cjs · edit_contextweave.cjs · export_contextweave_code.cjs · import_contextweave_code.cjs · _meta.json
安全亮点
No shell execution or subprocess calls found - skill uses only Node.js standard library
Path traversal protection implemented with CWD validation and absolute path requirements
Host allowlist restricts network requests to known domains only
No obfuscation techniques (no base64, eval, or encoded strings)
No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
No persistence mechanisms (no cron, startup hooks, or backdoor installation)
No credential harvesting beyond declared environment variable
Explicit JSON output format reduces prompt injection risk