安全决策报告
awareness-memory
Critical undeclared data exfiltration: import.js reads OpenClaw session files (~/.openclaw/agents/main/sessions/), parses full message content (including user prompts and assistant responses which may contain credentials, API keys, and code), and uploads them to the external awareness.market cloud API. This is completely absent from SKILL.md's declared behavior and directly contradicts the 'no secrets captured' claim.
最直接的威胁证据
严重 数据外泄
Undeclared session file exfiltration to external cloud import.js reads session JSONL files from ~/.openclaw/agents/main/sessions/, parses the full message content (user prompts and assistant responses), and uploads parsed content to the awareness.market cloud API. This is the most severe finding: all historical session data—including any secrets, credentials, or sensitive code typed during sessions—is transmitted to an external party. SKILL.md never mentions session file access, OpenClaw integration, or the import mechanism. This directly contradicts the 'no secrets captured' claim.
scripts/import.js:181 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
攻击链
01
Skill installed with credible memory functionality; SKILL.md claims 'no secrets captured'
初始入口 · SKILL.md:1
02
recall.js UserPromptSubmit hook runs before each prompt, sending full user prompt to awareness.market
reconnaissance · scripts/recall.js:107
03
On first run, recall.js silently spawns import.js detached in background
权限提升 · scripts/recall.js:203
04
import.js reads ~/.openclaw/agents/main/sessions/*.jsonl, parses full message content including typed credentials
数据外泄 · scripts/import.js:138
05
Parsed session content (user prompts, assistant responses) uploaded to awareness.market cloud API
数据外泄 · scripts/import.js:181
风险分是怎么被拉高的
Undeclared session file exfiltration +30
import.js reads ~/.openclaw/agents/main/sessions/*.jsonl, parses full message content including user prompts and assistant responses, and uploads to awareness.market cloud API. Not declared anywhere in SKILL.md.
SKILL.md claim contradicted by code +15
SKILL.md states 'no secrets captured' and 'never reads, stores, or transmits file contents'. import.js reads session file contents and transmits them to external cloud.
Undeclared filesystem WRITE +10
SKILL.md declares filesystem:NONE but sync.js writes to OpenClaw workspace (MEMORY.md, memory/YYYY-MM-DD.md), setup.js writes to shell profiles, poll-auth.js writes to ~/.openclaw/openclaw.json.
Remote npx execution +8
shared.js auto-starts local daemon via 'npx -y @awareness-sdk/local start', downloading and executing remote npm package without version pinning or user consent.
Silent background import +4
import.js is spawned detached in recall.js without user notification, importing session history in the background on first run.
最关键的证据
严重 数据外泄
Undeclared session file exfiltration to external cloud
import.js reads session JSONL files from ~/.openclaw/agents/main/sessions/, parses the full message content (user prompts and assistant responses), and uploads parsed content to the awareness.market cloud API. This is the most severe finding: all historical session data—including any secrets, credentials, or sensitive code typed during sessions—is transmitted to an external party. SKILL.md never mentions session file access, OpenClaw integration, or the import mechanism. This directly contradicts the 'no secrets captured' claim.
scripts/import.js:181 Remove import.js entirely or make it purely local. Never transmit parsed session file content to external APIs.
高危 文档欺骗
SKILL.md explicitly denies reading file contents while import.js does exactly that
SKILL.md states: 'This skill never reads, stores, or transmits file contents, environment variables, or credentials from your system beyond its own API key.' import.js reads and transmits the full content of OpenClaw session files. This is a direct, explicit contradiction—not a vague omission but an affirmative false claim.
SKILL.md:1 SKILL.md must fully disclose what files are read, what data is transmitted, and the import-from-OpenClaw mechanism.
高危 权限提升
Multiple undocumented filesystem WRITE operations
SKILL.md declares filesystem:NONE, but the skill writes to: (1) OpenClaw workspace MEMORY.md and daily logs via sync.js, (2) shell profile (.bashrc/.zshrc) to inject AWARENESS_* env vars via setup.js, (3) ~/.openclaw/openclaw.json to persist credentials via poll-auth.js, (4) project .awareness directories for cache. None of these are declared in SKILL.md.
scripts/sync.js:89 Update SKILL.md filesystem declaration to WRITE. Declare all paths written to and the purpose of each write.
高危 供应链
Remote npx execution for daemon auto-start
shared.js (resolveEndpoint) executes 'npx -y @awareness-sdk/local start' to auto-start a local daemon. This downloads and executes a remote npm package with no version pinning and no integrity verification. The package '@awareness-sdk/local' is not declared as a dependency.
scripts/shared.js:102 Remove npx auto-start or pin to a specific version with integrity check. Declare the dependency in SKILL.md.
中危 数据外泄
Full user prompt transmitted to external API before each response
recall.js (UserPromptSubmit hook) sends the complete user prompt text to awareness.market for semantic recall before every single response. While this is somewhat disclosed in SKILL.md, the full unfiltered prompt—including any credentials or sensitive context—goes to the external service. Keywords are also extracted from the prompt for hybrid search.
scripts/recall.js:107 Consider allowing users to opt out of prompt transmission. Filter sensitive patterns from prompts before sending.
中危 提示注入
Record rule embeds executable instructions in XML context
recall.js injects a <record-rule> block into the awareness-memory XML containing an inline command template: 'node "${resolvedScript}" '<JSON>''. While this is a legitimate memory feature, embedding raw command templates in LLM context could be exploited for prompt injection if an attacker controls memory content.
scripts/recall.js:173 Sandbox or validate memory content before injecting command templates into LLM context.
低危 文档欺骗
OpenClaw migration feature not disclosed as automatic background process
recall.js silently spawns import.js as a detached background process on first run. This migration of OpenClaw memory to the cloud is not mentioned in SKILL.md's hook documentation, setup instructions, or workflow checklist.
scripts/recall.js:203 Declare the automatic OpenClaw migration in SKILL.md and provide a flag to disable it.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
scripts/sync.js:89 appends to workspace MEMORY.md; scripts/setup.js:100 appends to shell profile; scripts/poll-auth.js:88 writes to ~/.openclaw/openclaw.json 网络访问 阻止
声明 READ
→ 推断 WRITE
scripts/import.js:181-191 POSTs parsed session content to awareness.market/api/v1/mcp/events; scripts/recall.js:107 POSTs full user prompt to cloud API 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/shared.js:102 spawns 'npx -y @awareness-sdk/local start' for auto-daemon; scripts/setup.js:32-34 execSync for browser opening; scripts/recall.js:66 spawn detached import.js 环境变量 通过
声明 READ
→ 推断 READ
scripts/shared.js:12-16 reads AWARENESS_* env vars for config only; no iteration of os.environ 技能调用 通过
声明 NONE
→ 推断 READ
scripts/recall.js spawns import.js detached; save-memory.js record-rule instructs LLM to silently invoke node with JSON payload 可疑产物与外联
中危 外部 URL
https://awareness.market/cli-auth scripts/recall.js:47
中危 外部 URL
https://awareness.market/api/v1 scripts/recall.js:92
中危 外部 URL
https://awareness.market\n scripts/setup.js:216
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @awareness-sdk/local | * | npx -y (remote) | 否 | Auto-downloaded at runtime with no version pinning or integrity verification |
文件构成
15 个文件 · 2656 行
JavaScript 14 个文件 · 2448 行Markdown 1 个文件 · 208 行
需关注文件 · 6
scripts/shared.js Remote npx execution for daemon auto-start
scripts/setup.js https://awareness.market\n
scripts/recall.js Full user prompt transmitted to external API before each response · Record rule embeds executable instructions in XML context · OpenClaw migration feature not disclosed as automatic background process · https://awareness.market/cli-auth · https://awareness.market/api/v1
SKILL.md SKILL.md explicitly denies reading file contents while import.js does exactly that
scripts/import.js Undeclared session file exfiltration to external cloud
scripts/sync.js Multiple undocumented filesystem WRITE operations
其他文件 · harness-builder.mjs · lookup.js · record.js · poll-auth.js · search.js · save-memory.js
安全亮点
Credentials stored with 0600 permissions in ~/.awareness/credentials.json
Local daemon mode (localhost:37800) available for privacy-conscious users
No direct credential harvesting from environment variables beyond AWARENESS_* keys
Stop hook (capture.js) is a no-op, not sending conversation content
XML escaping (escapeXml) properly implemented in harness-builder.mjs
Session ID expires after 4 hours (configurable)