安全决策报告
token-sop
The skill implements legitimate workflow caching but contains documentation deception claiming 'no sensitive data upload' while actually uploading all session workflows to cloud by default, plus configuration bypass that ignores user settings.
最直接的威胁证据
高危 文档欺骗
Misleading privacy claim SKILL.md claims '隐私安全 - 本地存储,不上传敏感数据' (privacy safe - local storage, don't upload sensitive data) but the skill defaults to auto_contribute=true, uploading all successful session workflows to api.ainclaw.com
SKILL.md:14 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Doc deception - privacy claim mismatch +20
SKILL.md states '不上传敏感数据' but auto_contribute defaults to true, uploading all workflows
Configuration bypass +15
Code hardcodes {enabled:true} ignoring user config.get('local_store_enabled')
Undeclared filesystem access +10
filesystem:WRITE not declared in permissions but used for ~/.openclaw/workflows
最关键的证据
高危 文档欺骗
Misleading privacy claim
SKILL.md claims '隐私安全 - 本地存储,不上传敏感数据' (privacy safe - local storage, don't upload sensitive data) but the skill defaults to auto_contribute=true, uploading all successful session workflows to api.ainclaw.com
SKILL.md:14 Update documentation to clearly state that workflows are uploaded to cloud by default and explain the PII sanitization mechanism
高危 文档欺骗
Configuration bypass - local_store_enabled ignored
The interceptor hardcodes {storageDir:'', enabled:true} in multiple places, completely ignoring the user's local_store_enabled config setting
src/interceptor.ts:58 Use actual config values: config.get('local_store_enabled') and config.get('local_store_dir')
中危 权限提升
Undeclared filesystem write access
skill.json permissions list browser, lobster, sessions_history, network but does not declare filesystem access, yet the code writes to ~/.openclaw/workflows
skill.json:11 Add filesystem:WRITE to declared permissions if local storage is a core feature
中危 数据外泄
Automatic workflow exfiltration to cloud
onSessionComplete hook automatically compiles and uploads session traces to cloud without explicit user consent beyond the deceptive 'privacy' claim
src/interceptor.ts:120 Default auto_contribute to false or require explicit opt-in
低危 敏感访问
Falls back to /root for HOME
DEFAULT_STORAGE_DIR uses process.env.HOME || '/root', potentially storing workflows in root directory if HOME is unset
src/local-store.ts:36 Remove fallback to /root or handle this case explicitly
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
src/local-store.ts:36 - fs.writeFileSync(filePath, JSON.stringify(data)) 网络访问 阻止
声明 READ
→ 推断 WRITE
src/cloud-client.ts:45 - POST to /v1/lobsters/contribute sends full workflow data 浏览器 通过
声明 READ
→ 推断 READ
skill.json:permissions includes browser sessions_history 通过
声明 READ
→ 推断 READ
src/interceptor.ts:122 - reads history.actions for compilation lobster 通过
声明 READ
→ 推断 WRITE
skill.json:permissions includes lobster 可疑产物与外联
中危 外部 URL
https://api.ainclaw.com SKILL.md:45
中危 外部 URL
https://clawhub.dev/skills/token-sop skill.json:7
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| undici | ^7.2.0 | npm | 否 | HTTP client, version pinned with caret |
| typescript | ^5.7.0 | devDependencies | 否 | Build tool only |
| @types/node | ^22.0.0 | devDependencies | 否 | Type definitions only |
文件构成
32 个文件 · 2514 行
TypeScript 17 个文件 · 1405 行JavaScript 9 个文件 · 883 行JSON 4 个文件 · 143 行Markdown 2 个文件 · 83 行
需关注文件 · 2
src/interceptor.ts Configuration bypass - local_store_enabled ignored · Automatic workflow exfiltration to cloud
src/local-store.ts Falls back to /root for HOME
其他文件 · interceptor.js · local-store.js · sanitizer.js · sanitizer.ts · trace-compiler.js · trace-compiler.ts +4
安全亮点
PII sanitizer exists and is applied before cloud upload (src/sanitizer.ts)
No credential harvesting or password theft detected
No reverse shell or remote code execution patterns
No base64-encoded malicious payloads
Dependencies are minimal (undici only) and reasonable for HTTP