instreet-gomoku Security Report — Suspicious | ClawSafe

42 /100

instreet-gomoku

InStreet五子棋AI。在InStreet桌游室进行五子棋对局时，自动计算最佳落子并提交。支持威胁检测，优先防守对手的活三/冲四。

Skill contains hardcoded API credentials and undeclared shell/network access with shadow functionality not reflected in documentation.

Skill Nameinstreet-gomoku

Duration42.2s

Enginepi

⚠

Use with caution

Remove hardcoded API key and replace with environment variable; declare all subprocess and network operations in SKILL.md; do not hardcode Windows-specific paths.

Findings 5 items

Severity	Finding	Location
High	Hardcoded API credential in source code Credential Theft API key 'sk_inst_adfe55c5fe69ca780201cb466bebbbce' is hardcoded as a plaintext string in instreet_gomoku.py:12 and gomoku_bot.py:14. This exposes a live credential in source code, making it trivially extractable and vulnerable to revocation/reuse. `API_KEY = 'sk_inst_adfe55c5fe69ca780201cb466bebbbce'` → Use os.environ.get('INSTREET_API_KEY') exclusively; remove all hardcoded fallback keys. Never commit credentials to version control.	`instreet_gomoku.py:12`
Medium	Undeclared subprocess shell execution Doc Mismatch katagomo_simple.py:87-92 uses subprocess.Popen to execute the KataGomo game engine binary (gom15x_trt.exe) with GTP protocol commands. This shell execution is not mentioned anywhere in SKILL.md, which only describes KataGomo as a 'GTP bridge' without revealing the subprocess dependency. `proc = subprocess.Popen([engine, 'gtp', '-config', config, '-model', model, ...], stdin=fin, stdout=subprocess.PIPE, ...)` → Declare subprocess usage in SKILL.md capabilities section. Note that this requires a local KataGomo engine installation.	`katagomo_simple.py:87`
Medium	Undeclared outbound network requests Doc Mismatch SKILL.md declares no network permissions, yet both instreet_gomoku.py and gomoku_bot.py make HTTPS requests to instreet.coze.site/api/v1/games/* endpoints for room creation, move submission, and activity polling. This is shadow network behavior. `BASE_URL = 'https://instreet.coze.site/api/v1/games'` → Declare network:READ and network:WRITE permissions in SKILL.md with the specific domain allowlisted.	`gomoku_bot.py:32`
Medium	Hardcoded Windows-specific engine path Supply Chain katagomo_simple.py:15 hardcodes KATAGOMO_DIR to 'D:\Games\KataGomo', a Windows-specific absolute path. The skill will fail on Linux/macOS with a confusing path error, and the dependency on an external binary is not documented. `KATAGOMO_DIR = r"D:\Games\KataGomo"` → Make the engine path configurable via environment variable (KATAGOMO_DIR). Document the external dependency clearly in SKILL.md.	`katagomo_simple.py:15`
Low	API key exposed in SKILL.md notes section Sensitive Access SKILL.md:112 mentions the API key in plaintext within the documentation notes: 'API Key: 已配置在代码中 sk_inst_adfe55c5fe69ca780201cb466bebbbce'. While not a code-level hardcode, exposing the key in docs increases exposure risk. `API Key：已配置在代码中 sk_inst_adfe55c5fe69ca780201cb466bebbbce` → Remove the API key value from documentation entirely. Reference only that the key should be set via INSTREET_API_KEY environment variable.	`SKILL.md:112`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file write operations found; temp file ops are in subprocess working dir only
Network	`NONE`	`READ`	✗ Violation	instreet_gomoku.py:13-14, gomoku_bot.py:32-33 make urllib requests to instreet.c…
Shell	`NONE`	`WRITE`	✗ Violation	katagomo_simple.py:87 subprocess.Popen executes external binary; gomoku_bot.py h…
Environment	`NONE`	`READ`	✓ Aligned	gomoku_bot.py:13 reads INSTREET_API_KEY from os.environ (falls back to hardcoded…
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke usage
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser usage
Database	`NONE`	`NONE`	—	No database access

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

API_KEY = 'sk_inst_adfe55c5fe69ca780201cb466bebbbce'

instreet_gomoku.py:12

🔗

Medium External URL 外部 URL

https://instreet.coze.site/api/v1/games

gomoku_bot.py:32

🔗

Medium External URL 外部 URL

https://instreet.coze.site/games/

gomoku_bot.py:359

File Tree

6 files · 58.1 KB · 1744 lines

Python 3f · 1523L Markdown 3f · 221L

├─ 🐍 gomoku_bot.py Python 400L · 12.7 KB

├─ 🐍 instreet_gomoku.py Python 939L · 34.3 KB

├─ 🐍 katagomo_simple.py Python 184L · 6.6 KB

├─ 📝 publish-info.md Markdown 37L · 680 B

├─ 📝 README.md Markdown 68L · 1.2 KB

└─ 📝 SKILL.md Markdown 116L · 2.7 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`numpy`	`unpinned`	import	No	No requirements.txt; numpy imported but version not pinned
`subprocess`	`stdlib`	stdlib	No	Standard library used to execute KataGomo engine
`urllib`	`stdlib`	stdlib	No	Standard library used for HTTP API calls
`KataGomo gom15x_trt.exe`	`unknown`	external binary	No	External Windows binary referenced by hardcoded path; not included in package

Security Positives

✓ No obfuscation detected (no base64, eval, or anti-analysis techniques)

✓ No credential exfiltration or data theft behavior observed

✓ Network requests target a legitimate game API (instreet.coze.site) and are functionally necessary

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No persistence mechanisms (no cron, startup hooks, or backdoors)

✓ Subprocess usage is for a legitimate game engine (KataGomo GTP), not malicious command execution

Scan Report

Findings 5 items

File Tree

Dependencies 4 items

Security Positives