Skill Trust Decision
mind-wander
SKILL.md documents a read-only reasoning agent but the actual implementation contains undeclared arbitrary Python code execution (sandbox_run), filesystem writes (elevate, DEAD_ENDS.md), external network requests, and system cron registration — a significant doc-to-code mismatch.
Most direct threat evidence
01
User installs skill expecting a read-only background reasoning agent from SKILL.md Entry · SKILL.md
02
install.sh runs automatically, installing pip packages, registering a 30-min cron job, and reading ~/.openclaw/openclaw.json for tokens delivery · scripts/install.sh
03
sandbox_run() executes arbitrary Python code via subprocess.run(['python3', '-c', ...]) — bypasses weak BLOCKED-list string checks Escalation · scripts/tools.py
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
6 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 6 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
4 dependency or supply-chain issues need attention.
Attack Chain
01
User installs skill expecting a read-only background reasoning agent from SKILL.md
Entry · SKILL.md:1
02
install.sh runs automatically, installing pip packages, registering a 30-min cron job, and reading ~/.openclaw/openclaw.json for tokens
delivery · scripts/install.sh:70
03
sandbox_run() executes arbitrary Python code via subprocess.run(['python3', '-c', ...]) — bypasses weak BLOCKED-list string checks
Escalation · scripts/tools.py:310
04
read_file() and elevate() write arbitrary content to workspace files (MENTAL_EXPLORATION.md, DEAD_ENDS.md, state.json)
Escalation · scripts/tools.py:358
05
search_web() exfiltrates workspace content via Perplexity API calls using the user's API key
Impact · scripts/tools.py:130
06
Cron persistence reinstalls on each run via gateway API — survives skill 'uninstall' if gateway token remains
Impact · scripts/install.sh:151
What drove the risk score up
Undeclared arbitrary code execution +30
sandbox_run() executes arbitrary Python code via subprocess with weak BLOCKED-list filtering, not declared in SKILL.md tool table
Undeclared filesystem WRITE +15
elevate() writes to MENTAL_EXPLORATION.md, wander_graph regenerates DEAD_ENDS.md, install.sh writes ON_YOUR_MIND.md — all undeclared in SKILL.md capability table
Undeclared external network access +10
search_web() POSTs to api.perplexity.ai; embed_sync() calls Ollama endpoint; install.sh downloads from HuggingFace and bootstrap.pypa.io — none declared
Undeclared persistence mechanism +8
install.sh registers a 30-min cron job via gateway API; cron payload embeds Python code as a string — not declared in SKILL.md
Weak sandbox evasion +8
BLOCKED-list uses simple string inclusion — can be bypassed with e.g. 'ex' + 'ec(', f-strings, or 'eval( "os.system(...)" )'
Sensitive credential access +5
search_web() reads ~/.openclaw/openclaw.json for Perplexity API key; cron registration reads same file for gateway token — credential access not declared
Most important evidence
High RCE
Undeclared arbitrary Python code execution via sandbox_run()
sandbox_run() in tools.py executes arbitrary Python code passed by the LLM agent via subprocess.run(['python3', '-c', safe_code]). The BLOCKED-list is a simple string-inclusion check easily bypassed. This capability is entirely absent from SKILL.md's tool table.
scripts/tools.py:310 Declare sandbox_run() explicitly in SKILL.md. Consider stronger sandboxing (namespace sandboxing, seccomp, Docker) or restrict to a curated safe-eval whitelist of mathematical/scientific operations only.
High Doc Mismatch
SKILL.md tool table omits 4 of 8 tools
SKILL.md declares 7 tools (query_graph, search_web, read_file, list_files, sandbox_run, check_dead_ends, record_dead_end, elevate) but the tool table only lists 7 items. Actually all 7 are in the registry, but elevate() and the filesystem WRITE operations are missing from the capability declarations. More critically, the network:WRITE, shell:WRITE, database:READ+WRITE, and persistence capabilities are not declared at all.
SKILL.md:1 Update SKILL.md to accurately declare all 8 resource-level capabilities (filesystem:READ+WRITE, shell:WRITE, network:READ+WRITE, database:READ+WRITE, persistence:WRITE).
High Persistence
Undeclared cron job registration on install
install.sh silently registers a 30-minute cron job via the OpenClaw gateway API, embedding Python code as a string in the message payload. This persistence mechanism is not mentioned anywhere in SKILL.md.
scripts/install.sh:151 Declare cron registration in SKILL.md. Make the cron job registration explicit and user-visible rather than automatic.
High Sensitive Access
Undeclared credential file access
search_web() reads ~/.openclaw/openclaw.json to extract the Perplexity API key as a fallback. The cron registration code also reads this file for the gateway auth token. This credential access is not declared.
scripts/tools.py:137 Declare ~/.openclaw/openclaw.json access in SKILL.md. Document what fields are read and why. Consider using environment variables or a dedicated secrets store instead.
Medium Obfuscation
Weak sandbox BLOCKED-list trivially bypassed
sandbox_run() uses simple string-inclusion checks against a BLOCKED list (e.g., 'exec(', 'eval(', '__import__', 'ctypes'). These can be bypassed via string concatenation, formatting, or base64. The sandbox also lacks resource limits beyond a timeout.
scripts/tools.py:302 Use AST-based parsing to detect dangerous patterns, or whitelist allowed operations. Consider running in a Docker container or gVisor for true isolation.
Medium Supply Chain
Unpinned pip dependencies in install.sh
install.sh installs huggingface_hub, httpx, falkordb, numpy without version pins. This could pull different (potentially vulnerable) versions on re-run.
scripts/install.sh:77 Pin all dependencies to specific versions. Use a requirements.txt or lock file.
Medium Supply Chain
Third-party model download from HuggingFace
The skill downloads a Qwen3.5 GGUF model from a third-party HuggingFace repo (Jackrong/Qwen3.5-9B-Claude-4.6-Opus-Reasoning-Distilled-v2-GGUF) which is not an official Qwen release. Model could be modified.
scripts/install.sh:99 Document that a third-party distilled model is used. Consider verifying the model's integrity or using an official Qwen repository.
Low Priv Escalation
Hardcoded internal IP addresses expose infrastructure
172.18.0.1 is hardcoded in SKILL.md, mind_wander_config.py, and install.sh as the Ollama and FalkorDB endpoint. This exposes Docker/internal network topology.
SKILL.md:111 Use environment variables for all connection endpoints. Document expected network topology without exposing specific IPs.
1 more findings are not expanded here
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
scripts/tools.py:elevate() writes MENTAL_EXPLORATION.md; scripts/wander_graph.py:regenerate_dead_ends_file() writes DEAD_ENDS.md; scripts/install.sh creates ON_YOUR_MIND.md Shell Block
Declared NONE
→ Inferred WRITE
scripts/tools.py:sandbox_run() → subprocess.run(['python3', '-c', safe_code]) executes arbitrary Python; scripts/install.sh runs pip, cp, chmod, curl Network Block
Declared NONE
→ Inferred READ+WRITE
scripts/tools.py:search_web() POSTs to api.perplexity.ai; scripts/wander_graph.py:embed_sync() POSTs to Ollama; scripts/install.sh downloads from bootstrap.pypa.io and HuggingFace Database Block
Declared NONE
→ Inferred READ+WRITE
scripts/tools.py:query_graph() reads/writes FalkorDB 'workspace' graph; scripts/wander_graph.py:record_dead_end_to_graph() writes 'wander' graph Environment Block
Declared NONE
→ Inferred READ
scripts/tools.py:search_web() reads ~/.openclaw/openclaw.json for API key; scripts/run.py reads os.environ for config values Skill Invoke Block
Declared NONE
→ Inferred WRITE
scripts/install.sh registers cron jobs via gateway API; SKILL.md does not mention persistence mechanism Suspicious artifacts and egress
High IP Address
172.18.0.1 SKILL.md:111
Medium External URL
http://172.18.0.1:11436 SKILL.md:111
Medium External URL
https://doi.org/10.1038/nrn.2016.113 references/research.md:21
Medium External URL
https://doi.org/10.1038/nrn1607 references/research.md:27
Medium External URL
https://arxiv.org/abs/2409.02685 references/research.md:33
Medium External URL
https://bootstrap.pypa.io/get-pip.py scripts/install.sh:75
Medium External URL
https://api.perplexity.ai/chat/completions scripts/tools.py:130
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| huggingface_hub | * | pip | No | Version not pinned in install.sh |
| httpx | * | pip | No | Version not pinned in install.sh |
| falkordb | * | pip | No | Version not pinned in install.sh |
| numpy | * | pip | No | Version not pinned in install.sh |
| Jackrong/Qwen3.5-9B-Claude-4.6-Opus-Reasoning-Distilled-v2-GGUF | unknown | HuggingFace third-party | No | Third-party model repo, not official Qwen — integrity not verifiable |
File composition
11 files · 2167 lines
Python 7 files · 1654 linesMarkdown 3 files · 301 linesShell 1 files · 212 lines
Files of concern · 4
scripts/tools.py Undeclared arbitrary Python code execution via sandbox_run() · Undeclared credential file access · Weak sandbox BLOCKED-list trivially bypassed · https://api.perplexity.ai/chat/completions
scripts/install.sh Undeclared cron job registration on install · Unpinned pip dependencies in install.sh · Third-party model download from HuggingFace · https://bootstrap.pypa.io/get-pip.py
SKILL.md SKILL.md tool table omits 4 of 8 tools · Hardcoded internal IP addresses expose infrastructure · Skill description overstates local-only nature · 172.18.0.1 · http://172.18.0.1:11436
references/research.md https://doi.org/10.1038/nrn.2016.113 · https://doi.org/10.1038/nrn1607 · https://arxiv.org/abs/2409.02685
Other files · agent.py · wander_graph.py · run.py · prompt.py · mind_wander_config.py · collector.py +1
Security positives
sandbox_run() has a timeout (30s) and line limit (50 lines) — some resource controls exist
sandbox_run() blocks some dangerous imports (subprocess, socket, urllib, requests, httpx, eval, exec, __import__) — at least a basic denylist is present
read_file() has a workspace boundary check to prevent path traversal
The novelty gate (strict criteria for elevate()) means most outputs are benign — findings written to a markdown file
Dead ends are tracked to avoid redundant exploration — reduces unnecessary file writes
SKILL.md exists and provides a reasonable description of the high-level concept
Code is well-structured with docstrings explaining each function's purpose
Uses standard, well-known libraries (httpx, falkordb) rather than obscure custom crypto