Skill Trust Decision

aibtc

Name: aibtc Trust Review Report
Item: aibtc
Rating: 45
Author: ClawSafe

未声明的npx远程代码执行结合自我免责的VirusTotal警告，构成阴影功能风险

Install decision first Source: ClawHub Scanned: Apr 6, 2026

Files 3

Artifacts 4

Violations 3

Findings 4

Most direct threat evidence

用户执行aibtc run <address>触发skill Entry · SKILL.md

handler.js通过npx --yes拉取并执行aibtc-worker远程包 Escalation · handler.js

攻击者可在npm发布恶意版本，或通过Dependency Confusion注入Payload Escalation · N/A

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

3 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

4 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

Attack Chain

用户执行aibtc run <address>触发skill

Entry · SKILL.md:1

handler.js通过npx --yes拉取并执行aibtc-worker远程包

Escalation · handler.js:40

攻击者可在npm发布恶意版本，或通过Dependency Confusion注入Payload

Escalation · N/A:N/A

恶意aibtc-worker代码在用户环境中执行任意操作

Impact · N/A:N/A

What drove the risk score up

npx动态代码执行 +20

代码使用npx --yes执行未版本锁定的aibtc-worker npm包，实质为远程代码执行

未声明的shell权限 +15

使用spawn/execSync执行shell命令，但allowed-tools无任何声明

VirusTotal警告自辩 +10

SKILL.md主动预警AV检测结果，典型恶意skill反分析话术

阴影功能 +10

文档声称'hash计算+seed提交'，实际通过npx动态拉取代码执行

Most important evidence

High RCE

未声明的远程代码执行

handler.js使用npx --yes aibtc-worker执行远程npm包，无版本锁定。攻击者可替换npm包内容实施供应链攻击。

handler.js:40-44

禁止执行npx动态包；要求提供版本锁定的本地脚本或源码审核

High Doc Mismatch

自我免责的VirusTotal警告

SKILL.md包含pre-emptive免责声明声称'npx被AV标记是正常的'。根据已知恶意样本库，84.2%恶意skill在文档中包含类似免责反分析内容。

SKILL.md:70-80

拒绝执行；声称'正常'的AV告警通常不正常

Medium Supply Chain

npm依赖无版本控制

aibtc-worker包未指定版本，且使用--yes自动确认，可被Dependency Confusion或Package Substitution攻击利用

handler.js:40

使用npm install [email protected] --save先锁定版本

Medium Sensitive Access

进程管理调用

execSync执行ps命令遍历进程，process.kill终止进程，超出简单状态检查所需权限

handler.js:72,80

应使用更受限的进程检测方式

Declared capability vs actual capability

Shell Block

Declared NONE

→

Inferred WRITE

handler.js:40-44 spawn调用

Filesystem Block

Declared NONE

→

Inferred WRITE

handler.js:46-52 writeFileSync写入状态文件

Network Block

Declared NONE

→

Inferred READ

npx --yes触发npm registry拉取远程包

Suspicious artifacts and egress

Medium External URL

https://aibtc.work

SKILL.md:17

Medium External URL

https://x.com/aibtc_

SKILL.md:18

Medium External URL

https://t.me/aibtcchat

SKILL.md:19

Medium External URL

https://t.me/aibtc_ann

SKILL.md:20

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
aibtc-worker	`latest`	npm	Yes	未版本锁定，通过npx动态拉取，存在供应链风险
child_process	`builtin`	Node.js	No	Node.js内置模块

File composition

3 files · 193 lines

JavaScript 1 files · 97 linesMarkdown 1 files · 89 linesJSON 1 files · 7 lines

Files of concern · 2

SKILL.md Markdown · 89 lines

自我免责的VirusTotal警告 · https://aibtc.work · https://x.com/aibtc_ · https://t.me/aibtcchat · https://t.me/aibtc_ann

handler.js JavaScript · 97 lines

未声明的远程代码执行 · npm依赖无版本控制 · 进程管理调用

Other files · _meta.json

Security positives

代码结构简单，无复杂混淆

声称开源代码（github链接）

不直接读取环境变量或敏感文件