安全决策报告
Memory Workflow
Memory workflow skill has undeclared network exfiltration behavior: user memory content is sent to an external Ollama LLM service (scripts/store.py:extract_triples_via_llm) without disclosure in SKILL.md, combined with hardcoded Docker bridge IPs as service endpoints.
最直接的威胁证据
01
User stores memory content via MemoryStore tool 初始入口 · scripts/store.py
02
store_memory() calls extract_triples_via_llm() with user content 权限提升 · scripts/store.py
03
Content POSTed to OLLAMA_URL (default: host.docker.internal:11434) for LLM processing — exfiltrated outside skill sandbox 最终危害 · scripts/store.py
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 3 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
User stores memory content via MemoryStore tool
初始入口 · scripts/store.py:110
02
store_memory() calls extract_triples_via_llm() with user content
权限提升 · scripts/store.py:130
03
Content POSTed to OLLAMA_URL (default: host.docker.internal:11434) for LLM processing — exfiltrated outside skill sandbox
最终危害 · scripts/store.py:94
04
get_embedding() sends same content to EMBEDDING_URL (default: 172.17.0.1:18779)
最终危害 · scripts/store.py:170
风险分是怎么被拉高的
Undeclared network exfiltration +25
extract_triples_via_llm() sends user memory content to OLLAMA_URL (default host.docker.internal:11434) — not declared in SKILL.md
Hardcoded Docker bridge IPs +15
config.py hardcodes 172.17.0.1 for rerank (18778) and embedding (18779) services — suspicious default targets
Undeclared embedding service call +15
get_embedding() POSTs content to external embedding endpoint — not mentioned in SKILL.md tool descriptions
最关键的证据
高危 数据外泄
Undeclared LLM data transmission
extract_triples_via_llm() in store.py sends user memory content to an external Ollama LLM endpoint (OLLAMA_URL, defaulting to host.docker.internal:11434) for entity/relation extraction. This external network call is not declared anywhere in SKILL.md, which only mentions 'Ollama (可选)' as a KG dependency without explaining that user content is transmitted.
scripts/store.py:94 Add explicit documentation in SKILL.md stating that user memory content may be sent to a user-configured Ollama endpoint for knowledge graph extraction. Alternatively, remove this feature and rely on rule-based extraction only.
高危 文档欺骗
SKILL.md hides external service dependencies
SKILL.md claims '三层存储架构' with file + FTS5 + KG + Milvus, but omits that KG extraction and embedding both require external HTTP calls. The embedding call to bge-m3 at 172.17.0.1:18779 sends all stored content over the network.
SKILL.md:1 Document that Ollama and embedding services are external dependencies that receive user data over HTTP.
高危 敏感访问
Hardcoded Docker bridge IP addresses as default service endpoints
config.py hardcodes 172.17.0.1 (the default Docker bridge gateway) as the default endpoint for rerank (18778) and embedding (18779) services. This is a suspicious default target as it enables exfiltration to the Docker host if those ports are open, without requiring explicit user configuration.
scripts/config.py:12 Remove hardcoded IPs as defaults. Default to localhost or a service unavailable message, requiring explicit configuration for network services.
中危 数据外泄
Embedding API call sends all content to external service
get_embedding() in store.py POSTs all user memory content to EMBEDDING_URL (defaulting to http://172.17.0.1:18779/v1/embeddings) for vectorization before Milvus storage. This network call is not declared in the tool descriptions.
scripts/store.py:170 Document the embedding API call in SKILL.md or remove the embedding feature, relying on FTS5 only.
中危 权限提升
Undeclared shell execution via subprocess
BaseMemoryTool._run_op() uses subprocess.run() to execute memory_ops.py with arbitrary command arguments. This shell execution pattern is not declared in SKILL.md — only the tool names and descriptions are listed. Additionally, save_session.py independently uses subprocess without being exposed as a declared tool.
scripts/tools.py:48 Document that tools use subprocess internally, or refactor to import modules directly without shell invocation.
低危 文档欺骗
SKILL.md installation modifies AGENTS.md with shell commands
SKILL.md instructs users to add bash command blocks to ~/.openclaw/workspace/AGENTS.md that pipe heredocs into python3 scripts. This is an unusual installation pattern that injects shell execution instructions into agent configuration.
SKILL.md:12 Use a standard registration mechanism (e.g., a Python setup function) instead of modifying AGENTS.md with shell command strings.
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
scripts/store.py: writes to ~/.openclaw/workspace/memory-workflow-data/ 网络访问 阻止
声明 NONE
→ 推断 WRITE
scripts/store.py:94 — sends content to OLLAMA_URL via urllib; scripts/store.py:170 — POSTs to EMBEDDING_URL 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/tools.py:48 — subprocess.run executes memory_ops.py; scripts/save_session.py:35 — subprocess.run 环境变量 通过
声明 READ
→ 推断 READ
scripts/config.py:14-17, store.py:32-34 — reads OLLAMA_URL, MILVUS_HOST, etc. 技能调用 通过
声明 WRITE
→ 推断 WRITE
SKILL.md declares 6 tool interfaces 可疑产物与外联
高危 IP 地址
172.17.0.1 scripts/config.py:12
中危 外部 URL
http://172.17.0.1:18778 scripts/config.py:12
中危 外部 URL
http://172.17.0.1:18779/v1/embeddings scripts/store.py:33
中危 外部 URL
http://host.docker.internal:11434 scripts/store.py:37
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| pymilvus | unpinned | pip | 否 | Used for Milvus vector storage, imported conditionally |
| jieba | unpinned | pip | 否 | Chinese segmentation, imported conditionally |
| urllib.request | stdlib | Python | 否 | Used for HTTP calls to Ollama and embedding API |
文件构成
9 个文件 · 1648 行
Python 7 个文件 · 1492 行Markdown 2 个文件 · 156 行
需关注文件 · 4
scripts/store.py Undeclared LLM data transmission · Embedding API call sends all content to external service · http://172.17.0.1:18779/v1/embeddings · http://host.docker.internal:11434
scripts/tools.py Undeclared shell execution via subprocess
SKILL.md SKILL.md hides external service dependencies · SKILL.md installation modifies AGENTS.md with shell commands
scripts/config.py Hardcoded Docker bridge IP addresses as default service endpoints · 172.17.0.1 · http://172.17.0.1:18778
其他文件 · memory_ops.py · fts5.py · search.py · save_session.py · README.md
安全亮点
No credential theft indicators — skill does not access ~/.ssh, ~/.aws, or .env files
No obfuscation detected — no base64-encoded strings or anti-analysis patterns
No reverse shell or C2 infrastructure — no suspicious outbound connections beyond documented API calls
File operations are scoped to a dedicated memory data directory (~/.openclaw/workspace/memory-workflow-data/)
Version pinning available for external dependencies (pymilvus in requirements would show versions)
FTS5 and file storage work without external dependencies, matching documentation