安全决策报告
China Stock Sentiment
The skill uses undeclared shell execution (child_process.execSync) to invoke another skill, a capability not declared in SKILL.md's documented allowed-tools or capability model.
最直接的威胁证据
01
SKILL.md presents skill as '舆情监控' using 'web_fetch/web_search' and skill references only 初始入口 · SKILL.md
02
Hidden shell:WRITE via child_process.execSync runs 'openclaw skill run baidu-hot-cn' 权限提升 · index.js
03
Filesystem WRITE to memory/stock-sentiment/reports/ not declared in capability model 权限提升 · index.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 1 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
SKILL.md presents skill as '舆情监控' using 'web_fetch/web_search' and skill references only
初始入口 · SKILL.md:1
02
Hidden shell:WRITE via child_process.execSync runs 'openclaw skill run baidu-hot-cn'
权限提升 · index.js:53
03
Filesystem WRITE to memory/stock-sentiment/reports/ not declared in capability model
权限提升 · index.js:139
风险分是怎么被拉高的
Undeclared shell execution +20
SKILL.md declares 'web_fetch/web_search' but index.js:53 uses execSync('openclaw skill run baidu-hot-cn') — a shell:WRITE operation not mentioned anywhere in documentation.
Undeclared filesystem WRITE +10
saveReport() writes to memory/stock-sentiment/reports/ via fs.writeFileSync, exceeding the read-oriented '数据存储' description in SKILL.md which only names directories without declaring filesystem:WRITE capability.
Doc-to-code capability mismatch +8
SKILL.md frames baidu-hot-cn as a skill reference, hiding the actual subprocess.execSync mechanism. This is a classic doc-deception pattern.
最关键的证据
高危 文档欺骗
Undeclared shell execution via child_process.execSync
index.js imports child_process and uses execSync to run 'openclaw skill run baidu-hot-cn'. SKILL.md only documents 'web_fetch/web_search' and skill references, never mentioning subprocess/shell execution. This hidden mechanism is a significant doc-to-code mismatch.
index.js:53 Replace execSync with a documented skill-invoke API or runtime mechanism. If shell execution is truly needed, declare shell:WRITE in SKILL.md and document why.
中危 权限提升
Undeclared filesystem WRITE beyond documented scope
SKILL.md's '数据存储' section names directories (memory/stock-sentiment/) but never declares filesystem:WRITE. The saveReport() function writes markdown reports to disk, which is write access beyond the 'read news' framing of the skill.
index.js:139 Declare filesystem:WRITE in SKILL.md capability model if file writes are intentional and necessary for the feature.
低危 文档欺骗
Marketing content in SKILL.md not in README.md
SKILL.md contains pricing tables, monetization strategies, and development TODOs that mix user-facing marketing with capability documentation, making it harder to identify actual permitted actions.
SKILL.md:89 Keep SKILL.md focused on declared capabilities and permissions only; move monetization and marketing content to README.md.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
index.js:139 fs.writeFileSync(outputPath, markdown) 命令执行 阻止
声明 NONE
→ 推断 WRITE
index.js:54 execSync('openclaw skill run baidu-hot-cn') 网络访问 通过
声明 READ
→ 推断 NONE (indirect via subprocess)
No direct network calls; web access delegated to baidu-hot-cn skill via subprocess 环境变量 通过
声明 NONE
→ 推断 NONE
No os.environ access detected 可疑产物与外联
中危 外部 URL
https://clawhub.ai/skills/china-stock-sentiment/docs README.md:87
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| fs | builtin | node | 否 | Node.js built-in module — no external dependency risk |
| path | builtin | node | 否 | Node.js built-in module |
| child_process | builtin | node | 否 | Node.js built-in module — used for execSync |
文件构成
3 个文件 · 454 行
Markdown 2 个文件 · 232 行JavaScript 1 个文件 · 222 行
需关注文件 · 3
index.js Undeclared shell execution via child_process.execSync · Undeclared filesystem WRITE beyond documented scope
SKILL.md Marketing content in SKILL.md not in README.md
README.md https://clawhub.ai/skills/china-stock-sentiment/docs · [email protected]
安全亮点
No credential harvesting (no os.environ iteration, no ~/.ssh, no .env access)
No direct IP network requests or outbound data exfiltration
No obfuscation (no base64, no eval patterns)
No curl|bash or wget|sh remote script execution
No persistence mechanisms (no cron, startup hooks, or backdoors)
execSync command string is hardcoded and not user-injectable
No supply chain risks — only uses Node.js built-in modules (fs, path, child_process)