安全决策报告
ai-enterprise-knowledge-base
This skill lacks any executable implementation — package.json declares index.js as the entry point but no such file exists, and no scripts are present despite the skill describing a full enterprise knowledge base system.
最直接的威胁证据
01
Skill presents as legitimate enterprise knowledge base with comprehensive documentation and branding 初始入口 · SKILL.md
02
Actual code is never bundled — package.json references non-existent index.js delivery · package.json
03
SKILL.md instructs user to git clone openclaw/openclaw from GitHub at installation time, loading unaudited code delivery · SKILL.md
为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Skill presents as legitimate enterprise knowledge base with comprehensive documentation and branding
初始入口 · SKILL.md:1
02
Actual code is never bundled — package.json references non-existent index.js
delivery · package.json:3
03
SKILL.md instructs user to git clone openclaw/openclaw from GitHub at installation time, loading unaudited code
delivery · SKILL.md:20
04
Unknown code executes in the user's environment — capabilities (filesystem, network, credentials) are entirely unconstrained and unauditable
最终危害 · N/A
风险分是怎么被拉高的
No implementation files present +20
SKILL.md and package.json exist but no scripts, source code, or index.js exist despite package.json referencing index.js as entry point
Remote code execution dependency +15
SKILL.md instructs users to 'git clone https://github.com/openclaw/openclaw.git' — actual payload code is fetched from an external, unaudited repository
Doc-to-code mismatch / doc deception +15
Skill advertises enterprise features (LDAP auth, channel integrations, knowledge graphs) but provides no code to verify any claims
Undeclared external domain contact +5
Support email ([email protected]) and Telegram (@openclaw_service) point to external entity not present in the skill package
最关键的证据
高危 供应链
Remote code execution via git clone
SKILL.md instructs users to run 'git clone https://github.com/openclaw/openclaw.git && cd openclaw && npm install'. This fetches the entire codebase from an external, unaudited repository at installation time, bypassing all local code review.
SKILL.md:20 Block any skill that instructs users to clone and execute code from external repositories. All code must be bundled within the skill package for offline review.
中危 文档欺骗
No executable implementation present
package.json declares 'index.js' as the main entry point but no such file exists in the skill package. The skill consists entirely of marketing documentation with no auditable code.
package.json:3 Reject this skill until full source code is provided for security review. A skill that cannot execute any code has no verifiable security posture.
中危 文档欺骗
Feature claims unsupported by implementation
SKILL.md advertises LDAP/OAuth/SAML authentication, multi-channel integrations (Feishu/WeChat/DingTalk/Slack), vector database support, and knowledge graph extraction — yet no code exists to verify any of these claims.
SKILL.md:1 Any skill claiming sensitive capabilities (auth, integrations, credential handling) must include verifiable source code.
低危 文档欺骗
External support contact for unaudited entity
Support email ([email protected]) and Telegram (@openclaw_service) reference an external organization not represented in the skill package itself.
SKILL.md:99 Verify the legitimacy of external contacts before engaging support. Do not share credentials or sensitive data with unverified contacts.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
No implementation files present — capabilities cannot be determined 网络访问 通过
声明 NONE
→ 推断 NONE
SKILL.md references localhost:3000 API endpoints and external LLM providers (deepseek), but no code exists to audit actual network behavior 命令执行 通过
声明 NONE
→ 推断 NONE
No shell scripts found; however, SKILL.md instructs git clone from github.com/openclaw/openclaw which implies runtime script execution 环境变量 通过
声明 NONE
→ 推断 NONE
No code present to audit environment access 技能调用 通过
声明 NONE
→ 推断 NONE
No skill invocation code found 剪贴板 通过
声明 NONE
→ 推断 NONE
No code present 浏览器 通过
声明 NONE
→ 推断 NONE
No code present 数据库 通过
声明 NONE
→ 推断 NONE
SKILL.md describes vector DB integration (milvus/pinecone) but no database code exists to audit 可疑产物与外联
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 122 行
Markdown 1 个文件 · 104 行JSON 1 个文件 · 18 行
需关注文件 · 2
SKILL.md Remote code execution via git clone · Feature claims unsupported by implementation · External support contact for unaudited entity · [email protected]
package.json No executable implementation present
安全亮点
No hard-coded credentials, API keys, or tokens found in the skill package
No base64-encoded payloads, eval() calls, or obfuscated code patterns observed
No direct network requests to suspicious IPs or C2 infrastructure found
No subprocess/shell execution code present in the local skill files
No sensitive file access patterns detected (no ~/.ssh, ~/.aws, .env access in local code)
No cron jobs, startup scripts, or persistence mechanisms found