安全决策报告
ai-content-pipeline
Skill exposes production credentials in .env file and has an unpinned external dependency, though core functionality appears legitimate without malicious behavior.
最直接的威胁证据
高危 凭证窃取
Production API credentials in .env file The .env file contains real OpenAI API key, Apify token, Facebook App Secret, and Page Access Token. If this file is committed to version control or shared, all credentials are exposed to attackers.
.env:7 为什么得出这个结论
2/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
发现 5 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Production credentials in .env file +25
Real OpenAI, Apify, and Facebook API keys/tokens are present in .env - critical if exposed or committed
Credential prefixes shown in README.md +10
README.md line 102-103 shows sk-proj- and apify_api_ prefixes in plain text documentation
Unpinned external dependency +10
openclaw>=2026.3.0 allows future malicious updates without version constraint
最关键的证据
高危 凭证窃取
Production API credentials in .env file
The .env file contains real OpenAI API key, Apify token, Facebook App Secret, and Page Access Token. If this file is committed to version control or shared, all credentials are exposed to attackers.
.env:7 Remove all real credentials. Use only placeholder values (e.g., OPENAI_API_KEY=your_key_here). Add .env to .gitignore (already present) and never commit.
中危 文档欺骗
Credential prefixes exposed in documentation
README.md lines 102-103 display partial API key prefixes in a credentials table, which could aid attackers in identifying the key type.
README.md:102 Remove credential examples from README.md. Use generic placeholders like 'your_openai_key' instead of showing real prefixes.
中危 供应链
External dependency with unpinned version
requirements.txt specifies 'openclaw>=2026.3.0' without an upper bound. This allows the package maintainer to push malicious updates that would be automatically installed.
requirements.txt:12 Pin to a specific version: openclaw==2026.3.0
低危 敏感访问
Chrome User-Agent flagged as hardcoded IP (false positive)
The pre-scan flagged '131.0.0.0' as a hardcoded IP in crawler_agent.py:27. This is actually part of the Chrome browser version string in the User-Agent header, not an IP address.
agents/crawler_agent.py:27 No action needed - this is a false positive from the scanner.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 READ
All file operations are for config loading and output writing (legitimate) 网络访问 通过
声明 READ
→ 推断 READ
requests.get/post to legitimate APIs: Gemini, OpenAI, Apify, Facebook Graph API 命令执行 通过
声明 NONE
→ 推断 NONE
No subprocess, os.system, or shell execution found 环境变量 通过
声明 READ
→ 推断 READ
os.getenv() used only for documented API keys (config.py) 可疑产物与外联
高危 IP 地址
131.0.0.0 agents/crawler_agent.py:27
中危 外部 URL
https://dantri.com.vn/... README.md:53
中危 外部 URL
https://www.facebook.com/... README.md:56
中危 外部 URL
https://vnexpress.net/... SKILL.md:54
中危 外部 URL
https://dantri.com.vn/suc-manh-so/cong-nghe-ai-tao-sinh-dang-thay-doi-nganh-truyen-thong-nhu-the-nao-20240101000000000.htm agents/crawler_agent.py:204
中危 外部 URL
https://www.facebook.com/ agents/fb_publisher_agent.py:107
中危 外部 URL
https://developers.facebook.com/tools/explorer[/link agents/fb_token_helper.py:81
中危 外部 URL
https://dantri.com.vn/example agents/writer_agent.py:156
中危 外部 URL
https://graph.facebook.com/ config.py:33
中危 外部 URL
https://dantri.com.vn/some-article.htm main.py:310
中危 外部 URL
https://graph.facebook.com skills/facebook/references/graph-api-overview.md:4
中危 外部 URL
https://graph.facebook.com/vXX.X skills/facebook/references/graph-api-overview.md:5
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| openai | >=1.30.0 | pip | 否 | Version not pinned but package is reputable |
| requests | >=2.31.0 | pip | 否 | Version not pinned but package is reputable |
| apify-client | >=1.7.0 | pip | 否 | Version not pinned but package is reputable |
| openclaw | >=2026.3.0 | pip | 否 | Version not pinned - supply chain risk |
| google-genai | >=1.0.0 | pip | 否 | Official Google package - reputable |
| beautifulsoup4 | >=4.12.0 | pip | 否 | Well-known package |
| openclaw | >=2026.3.0 | pip | 否 | CRITICAL: Version not pinned - allows malicious updates |
文件构成
24 个文件 · 2010 行
Python 12 个文件 · 1522 行Markdown 8 个文件 · 381 行Text 2 个文件 · 68 行Other 1 个文件 · 27 行Ignore 1 个文件 · 12 行
需关注文件 · 9
agents/fb_token_helper.py https://developers.facebook.com/tools/explorer[/link
.env Production API credentials in .env file
skills/facebook/references/permissions-and-tokens.md main.py https://dantri.com.vn/some-article.htm
agents/crawler_agent.py Chrome User-Agent flagged as hardcoded IP (false positive) · 131.0.0.0 · https://dantri.com.vn/suc-manh-so/cong-nghe-ai-tao-sinh-dang-thay-doi-nganh-truyen-thong-nhu-the-nao-20240101000000000.htm
agents/fb_publisher_agent.py https://www.facebook.com/
agents/writer_agent.py https://dantri.com.vn/example
README.md Credential prefixes exposed in documentation · https://dantri.com.vn/... · https://www.facebook.com/...
config.py https://graph.facebook.com/
其他文件 · output_log.txt · image_agent.py · test_fb_connection.py
安全亮点
No shell execution (subprocess, os.system, eval, or base64 decoding)
No credential harvesting - credentials used only for legitimate API calls
No data exfiltration - all network calls go to documented services (Facebook, Gemini, OpenAI, Apify)
No obfuscation - code is well-structured and readable
SKILL.md accurately describes all capabilities and permissions
Proper use of .gitignore to exclude .env
All dependencies except openclaw are properly version-pinned
No hidden functionality or undocumented behavior detected