中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 67/100
上次扫描:1 天前 重新扫描
67 /100
mind-wander
Autonomous background reasoning agent that explores open questions using a local LLM, FalkorDB knowledge graph, and Perplexity web search
SKILL.md documents a read-only reasoning agent but the actual implementation contains undeclared arbitrary Python code execution (sandbox_run), filesystem writes (elevate, DEAD_ENDS.md), external network requests, and system cron registration — a significant doc-to-code mismatch.
技能名称mind-wander
分析耗时83.1s
引擎pi
不要安装此技能
Do not use until SKILL.md is updated to accurately declare all tool capabilities (sandbox_run, elevate, search_web, FalkorDB access, cron registration). sandbox_run() is particularly dangerous as it bypasses the stated no-network sandbox claim through Python exec with weak string-based blocking.

攻击链 6 步

入口 User installs skill expecting a read-only background reasoning agent from SKILL.md
SKILL.md:1
提权 install.sh runs automatically, installing pip packages, registering a 30-min cron job, and reading ~/.openclaw/openclaw.json for tokens
scripts/install.sh:70
提权 sandbox_run() executes arbitrary Python code via subprocess.run(['python3', '-c', ...]) — bypasses weak BLOCKED-list string checks
scripts/tools.py:310
提权 read_file() and elevate() write arbitrary content to workspace files (MENTAL_EXPLORATION.md, DEAD_ENDS.md, state.json)
scripts/tools.py:358
影响 search_web() exfiltrates workspace content via Perplexity API calls using the user's API key
scripts/tools.py:130
影响 Cron persistence reinstalls on each run via gateway API — survives skill 'uninstall' if gateway token remains
scripts/install.sh:151

安全发现 9 项

严重性 安全发现 位置
高危
Undeclared arbitrary Python code execution via sandbox_run() 代码执行
sandbox_run() in tools.py executes arbitrary Python code passed by the LLM agent via subprocess.run(['python3', '-c', safe_code]). The BLOCKED-list is a simple string-inclusion check easily bypassed. This capability is entirely absent from SKILL.md's tool table.
result = subprocess.run(['python3', '-c', safe_code], capture_output=True, text=True, timeout=SANDBOX_TIMEOUT)
→ Declare sandbox_run() explicitly in SKILL.md. Consider stronger sandboxing (namespace sandboxing, seccomp, Docker) or restrict to a curated safe-eval whitelist of mathematical/scientific operations only.
 scripts/tools.py:310
高危
SKILL.md tool table omits 4 of 8 tools 文档欺骗
SKILL.md declares 7 tools (query_graph, search_web, read_file, list_files, sandbox_run, check_dead_ends, record_dead_end, elevate) but the tool table only lists 7 items. Actually all 7 are in the registry, but elevate() and the filesystem WRITE operations are missing from the capability declarations. More critically, the network:WRITE, shell:WRITE, database:READ+WRITE, and persistence capabilities are not declared at all.
SKILL.md declares 'network:READ via WebFetch' in the capability model header but never mentions that search_web() POSTs API keys and queries to an external endpoint
→ Update SKILL.md to accurately declare all 8 resource-level capabilities (filesystem:READ+WRITE, shell:WRITE, network:READ+WRITE, database:READ+WRITE, persistence:WRITE).
 SKILL.md:1
高危
Undeclared cron job registration on install 持久化
install.sh silently registers a 30-minute cron job via the OpenClaw gateway API, embedding Python code as a string in the message payload. This persistence mechanism is not mentioned anywhere in SKILL.md.
httpx.post(f'http://localhost:{port}/api/cron/jobs', headers={'Authorization': f'Bearer {token}'}, json=job)
→ Declare cron registration in SKILL.md. Make the cron job registration explicit and user-visible rather than automatic.
 scripts/install.sh:151
高危
Undeclared credential file access 敏感访问
search_web() reads ~/.openclaw/openclaw.json to extract the Perplexity API key as a fallback. The cron registration code also reads this file for the gateway auth token. This credential access is not declared.
config_path = Path.home() / '.openclaw' / 'openclaw.json'; cfg = json.load(f); api_key = cfg.get('plugins', {}).get('entries', {}).get('perplexity', {})...
→ Declare ~/.openclaw/openclaw.json access in SKILL.md. Document what fields are read and why. Consider using environment variables or a dedicated secrets store instead.
 scripts/tools.py:137
中危
Weak sandbox BLOCKED-list trivially bypassed 代码混淆
sandbox_run() uses simple string-inclusion checks against a BLOCKED list (e.g., 'exec(', 'eval(', '__import__', 'ctypes'). These can be bypassed via string concatenation, formatting, or base64. The sandbox also lacks resource limits beyond a timeout.
for blocked in BLOCKED: if blocked in code: return {'ok': False, ...}
→ Use AST-based parsing to detect dangerous patterns, or whitelist allowed operations. Consider running in a Docker container or gVisor for true isolation.
 scripts/tools.py:302
中危
Unpinned pip dependencies in install.sh 供应链
install.sh installs huggingface_hub, httpx, falkordb, numpy without version pins. This could pull different (potentially vulnerable) versions on re-run.
pip3 install --user --break-system-packages --quiet huggingface_hub httpx falkordb numpy
→ Pin all dependencies to specific versions. Use a requirements.txt or lock file.
 scripts/install.sh:77
中危
Third-party model download from HuggingFace 供应链
The skill downloads a Qwen3.5 GGUF model from a third-party HuggingFace repo (Jackrong/Qwen3.5-9B-Claude-4.6-Opus-Reasoning-Distilled-v2-GGUF) which is not an official Qwen release. Model could be modified.
repo_id='Jackrong/Qwen3.5-9B-Claude-4.6-Opus-Reasoning-Distilled-v2-GGUF'
→ Document that a third-party distilled model is used. Consider verifying the model's integrity or using an official Qwen repository.
 scripts/install.sh:99
低危
Hardcoded internal IP addresses expose infrastructure 权限提升
172.18.0.1 is hardcoded in SKILL.md, mind_wander_config.py, and install.sh as the Ollama and FalkorDB endpoint. This exposes Docker/internal network topology.
WANDER_OLLAMA = 'http://172.18.0.1:11436'
→ Use environment variables for all connection endpoints. Document expected network topology without exposing specific IPs.
 SKILL.md:111
低危
Skill description overstates local-only nature 文档欺骗
SKILL.md says 'Runs locally on Qwen3.5-9B, consumes zero Anthropic tokens' but the skill makes API calls to api.perplexity.ai (external, paid), Ollama at a specific IP, and FalkorDB at a specific IP.
'Runs locally on Qwen3.5-9B, consumes zero Anthropic tokens' — omits Perplexity API cost and network dependencies
→ Update description to accurately reflect external service dependencies.
 SKILL.md:10
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✗ 越权 scripts/tools.py:elevate() writes MENTAL_EXPLORATION.md; scripts/wander_graph.py…
命令执行 NONE WRITE ✗ 越权 scripts/tools.py:sandbox_run() → subprocess.run(['python3', '-c', safe_code]) ex…
网络访问 NONE READ+WRITE ✗ 越权 scripts/tools.py:search_web() POSTs to api.perplexity.ai; scripts/wander_graph.p…
数据库 NONE READ+WRITE ✗ 越权 scripts/tools.py:query_graph() reads/writes FalkorDB 'workspace' graph; scripts/…
环境变量 NONE READ ✗ 越权 scripts/tools.py:search_web() reads ~/.openclaw/openclaw.json for API key; scrip…
技能调用 NONE WRITE ✗ 越权 scripts/install.sh registers cron jobs via gateway API; SKILL.md does not mentio…
1 高危 7 项发现
📡
高危 IP 地址 硬编码 IP 地址
172.18.0.1
SKILL.md:111
🔗
中危 外部 URL 外部 URL
http://172.18.0.1:11436
SKILL.md:111
🔗
中危 外部 URL 外部 URL
https://doi.org/10.1038/nrn.2016.113
references/research.md:21
🔗
中危 外部 URL 外部 URL
https://doi.org/10.1038/nrn1607
references/research.md:27
🔗
中危 外部 URL 外部 URL
https://arxiv.org/abs/2409.02685
references/research.md:33
🔗
中危 外部 URL 外部 URL
https://bootstrap.pypa.io/get-pip.py
scripts/install.sh:75
🔗
中危 外部 URL 外部 URL
https://api.perplexity.ai/chat/completions
scripts/tools.py:130

目录结构

11 文件 · 81.2 KB · 2167 行
Python 7f · 1654L Markdown 3f · 301L Shell 1f · 212L
├─ 📁 references
│ ├─ 📝 research.md Markdown 64L · 3.2 KB
│ └─ 📝 setup.md Markdown 105L · 3.0 KB
├─ 📁 scripts
│ ├─ 🐍 agent.py Python 315L · 11.9 KB
│ ├─ 🐍 collector.py Python 94L · 3.0 KB
│ ├─ 🔧 install.sh Shell 212L · 7.7 KB
│ ├─ 🐍 mind_wander_config.py Python 49L · 3.1 KB
│ ├─ 🐍 prompt.py Python 132L · 5.5 KB
│ ├─ 🐍 run.py Python 150L · 5.6 KB
│ ├─ 🐍 tools.py Python 622L · 23.6 KB
│ └─ 🐍 wander_graph.py Python 292L · 9.8 KB
└─ 📝 SKILL.md Markdown 132L · 4.8 KB

依赖分析 5 项

包名版本来源已知漏洞备注
huggingface_hub * pip Version not pinned in install.sh
httpx * pip Version not pinned in install.sh
falkordb * pip Version not pinned in install.sh
numpy * pip Version not pinned in install.sh
Jackrong/Qwen3.5-9B-Claude-4.6-Opus-Reasoning-Distilled-v2-GGUF unknown HuggingFace third-party Third-party model repo, not official Qwen — integrity not verifiable

安全亮点

✓ sandbox_run() has a timeout (30s) and line limit (50 lines) — some resource controls exist
✓ sandbox_run() blocks some dangerous imports (subprocess, socket, urllib, requests, httpx, eval, exec, __import__) — at least a basic denylist is present
✓ read_file() has a workspace boundary check to prevent path traversal
✓ The novelty gate (strict criteria for elevate()) means most outputs are benign — findings written to a markdown file
✓ Dead ends are tracked to avoid redundant exploration — reduces unnecessary file writes
✓ SKILL.md exists and provides a reasonable description of the high-level concept
✓ Code is well-structured with docstrings explaining each function's purpose
✓ Uses standard, well-known libraries (httpx, falkordb) rather than obscure custom crypto