安全决策报告
claw-body
Skill provides legitimate digital avatar functionality but uses undeclared shell execution via execSync for presentation parsing, creating a capability gap between documented and actual behavior.
最直接的威胁证据
高危
Undeclared shell execution via execSync server.mjs uses child_process.execSync to execute python3 scripts for presentation parsing. This is not declared in SKILL.md metadata (which only lists 'node' as required binary).
server.mjs:305 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared shell execution +25
server.mjs uses child_process.execSync for presentation parsing but SKILL.md metadata only declares 'node' binary, no shell execution declared
Hardcoded demo API key +10
DEMO_CONFIG contains API key sk-ody1Xk9lw_... but this is documented as public demo key for free trial, not user credential theft
Sensitive path access +10
Reads ~/.openclaw/openclaw.json to check gateway config - declared in SKILL.md setup instructions
最关键的证据
高危
Undeclared shell execution via execSync
server.mjs uses child_process.execSync to execute python3 scripts for presentation parsing. This is not declared in SKILL.md metadata (which only lists 'node' as required binary).
server.mjs:305 Declare shell:WRITE permission or document this behavior explicitly in SKILL.md
中危
Demo API key present in source code
DEMO_CONFIG contains what appears to be a valid NuwaAI API key for free trial mode. Code comments state these are 'NuwaAI-issued public demo keys with limited quota, NOT user credentials.'
server.mjs:34 Confirm with NuwaAI that these are truly public demo keys with no associated cost or data exposure risk
低危
Permissive CORS configuration
Server sets Access-Control-Allow-Origin to '*' for local development. Acceptable for localhost-only service but worth noting.
server.mjs:135 Restrict to specific origins in production if deployed outside localhost
低危
Undeclared filesystem read access
Reads ~/.openclaw/openclaw.json for gateway token and config. While this is documented in SKILL.md setup instructions, it's not declared in metadata capability requirements.
server.mjs:18 Document filesystem:READ access for OpenClaw config in SKILL.md
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 READ
server.mjs:18 reads ~/.openclaw/openclaw.json 文件系统 通过
声明 NONE
→ 推断 WRITE
server.mjs:56 writes .nuwa-config.json 命令执行 阻止
声明 NONE
→ 推断 WRITE
server.mjs:305-308 execSync python3 for presentation parsing 网络访问 通过
声明 READ
→ 推断 READ
server.mjs:206-215 fetches nuwaai.com API 可疑产物与外联
高危 API 密钥
apiKey: "sk-ody1Xk9lw_vXkRWEPnaO8OwTFB9gbCnng2EWUl5jNbzolDSlFItc9DvWqrr6RLcL" server.mjs:34
中危 外部 URL
https://nuwaai.com SKILL.md:25
中危 外部 URL
https://api.nuwaai.com/web/apiKey/auth server.mjs:215
依赖与供应链
没有结构化依赖告警。
文件构成
6 个文件 · 2739 行
HTML 1 个文件 · 1680 行JavaScript 3 个文件 · 862 行Markdown 1 个文件 · 192 行JSON 1 个文件 · 5 行
需关注文件 · 2
server.mjs Undeclared shell execution via execSync · Demo API key present in source code · Permissive CORS configuration · Undeclared filesystem read access · apiKey: "sk-ody1Xk9lw_vXkRWEPnaO8OwTFB9gbCnng2EWUl5jNbzolDSlFItc9DvWqrr6RLcL" · https://api.nuwaai.com/web/apiKey/auth
SKILL.md https://nuwaai.com
其他文件 · index.html · i18n.js · pcm-processor.js · _meta.json
安全亮点
No evidence of credential harvesting or exfiltration
No base64-encoded or obfuscated malicious code patterns
No reverse shell, C2, or data theft indicators
Network requests are to legitimate NuwaAI service (documented and necessary)
Presentation parsing execSync is within documented feature scope
No hidden HTML comments or steganography detected
User API keys are stored in local config file, not hardcoded