安全决策报告
mind-wander
SKILL.md documents a read-only reasoning agent but the actual implementation contains undeclared arbitrary Python code execution (sandbox_run), filesystem writes (elevate, DEAD_ENDS.md), external network requests, and system cron registration — a significant doc-to-code mismatch.
最直接的威胁证据
01
User installs skill expecting a read-only background reasoning agent from SKILL.md 初始入口 · SKILL.md
02
install.sh runs automatically, installing pip packages, registering a 30-min cron job, and reading ~/.openclaw/openclaw.json for tokens delivery · scripts/install.sh
03
sandbox_run() executes arbitrary Python code via subprocess.run(['python3', '-c', ...]) — bypasses weak BLOCKED-list string checks 权限提升 · scripts/tools.py
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 6 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 6 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
发现 4 项需要关注的依赖或供应链线索。
攻击链
01
User installs skill expecting a read-only background reasoning agent from SKILL.md
初始入口 · SKILL.md:1
02
install.sh runs automatically, installing pip packages, registering a 30-min cron job, and reading ~/.openclaw/openclaw.json for tokens
delivery · scripts/install.sh:70
03
sandbox_run() executes arbitrary Python code via subprocess.run(['python3', '-c', ...]) — bypasses weak BLOCKED-list string checks
权限提升 · scripts/tools.py:310
04
read_file() and elevate() write arbitrary content to workspace files (MENTAL_EXPLORATION.md, DEAD_ENDS.md, state.json)
权限提升 · scripts/tools.py:358
05
search_web() exfiltrates workspace content via Perplexity API calls using the user's API key
最终危害 · scripts/tools.py:130
06
Cron persistence reinstalls on each run via gateway API — survives skill 'uninstall' if gateway token remains
最终危害 · scripts/install.sh:151
风险分是怎么被拉高的
Undeclared arbitrary code execution +30
sandbox_run() executes arbitrary Python code via subprocess with weak BLOCKED-list filtering, not declared in SKILL.md tool table
Undeclared filesystem WRITE +15
elevate() writes to MENTAL_EXPLORATION.md, wander_graph regenerates DEAD_ENDS.md, install.sh writes ON_YOUR_MIND.md — all undeclared in SKILL.md capability table
Undeclared external network access +10
search_web() POSTs to api.perplexity.ai; embed_sync() calls Ollama endpoint; install.sh downloads from HuggingFace and bootstrap.pypa.io — none declared
Undeclared persistence mechanism +8
install.sh registers a 30-min cron job via gateway API; cron payload embeds Python code as a string — not declared in SKILL.md
Weak sandbox evasion +8
BLOCKED-list uses simple string inclusion — can be bypassed with e.g. 'ex' + 'ec(', f-strings, or 'eval( "os.system(...)" )'
Sensitive credential access +5
search_web() reads ~/.openclaw/openclaw.json for Perplexity API key; cron registration reads same file for gateway token — credential access not declared
最关键的证据
高危 代码执行
Undeclared arbitrary Python code execution via sandbox_run()
sandbox_run() in tools.py executes arbitrary Python code passed by the LLM agent via subprocess.run(['python3', '-c', safe_code]). The BLOCKED-list is a simple string-inclusion check easily bypassed. This capability is entirely absent from SKILL.md's tool table.
scripts/tools.py:310 Declare sandbox_run() explicitly in SKILL.md. Consider stronger sandboxing (namespace sandboxing, seccomp, Docker) or restrict to a curated safe-eval whitelist of mathematical/scientific operations only.
高危 文档欺骗
SKILL.md tool table omits 4 of 8 tools
SKILL.md declares 7 tools (query_graph, search_web, read_file, list_files, sandbox_run, check_dead_ends, record_dead_end, elevate) but the tool table only lists 7 items. Actually all 7 are in the registry, but elevate() and the filesystem WRITE operations are missing from the capability declarations. More critically, the network:WRITE, shell:WRITE, database:READ+WRITE, and persistence capabilities are not declared at all.
SKILL.md:1 Update SKILL.md to accurately declare all 8 resource-level capabilities (filesystem:READ+WRITE, shell:WRITE, network:READ+WRITE, database:READ+WRITE, persistence:WRITE).
高危 持久化
Undeclared cron job registration on install
install.sh silently registers a 30-minute cron job via the OpenClaw gateway API, embedding Python code as a string in the message payload. This persistence mechanism is not mentioned anywhere in SKILL.md.
scripts/install.sh:151 Declare cron registration in SKILL.md. Make the cron job registration explicit and user-visible rather than automatic.
高危 敏感访问
Undeclared credential file access
search_web() reads ~/.openclaw/openclaw.json to extract the Perplexity API key as a fallback. The cron registration code also reads this file for the gateway auth token. This credential access is not declared.
scripts/tools.py:137 Declare ~/.openclaw/openclaw.json access in SKILL.md. Document what fields are read and why. Consider using environment variables or a dedicated secrets store instead.
中危 代码混淆
Weak sandbox BLOCKED-list trivially bypassed
sandbox_run() uses simple string-inclusion checks against a BLOCKED list (e.g., 'exec(', 'eval(', '__import__', 'ctypes'). These can be bypassed via string concatenation, formatting, or base64. The sandbox also lacks resource limits beyond a timeout.
scripts/tools.py:302 Use AST-based parsing to detect dangerous patterns, or whitelist allowed operations. Consider running in a Docker container or gVisor for true isolation.
中危 供应链
Unpinned pip dependencies in install.sh
install.sh installs huggingface_hub, httpx, falkordb, numpy without version pins. This could pull different (potentially vulnerable) versions on re-run.
scripts/install.sh:77 Pin all dependencies to specific versions. Use a requirements.txt or lock file.
中危 供应链
Third-party model download from HuggingFace
The skill downloads a Qwen3.5 GGUF model from a third-party HuggingFace repo (Jackrong/Qwen3.5-9B-Claude-4.6-Opus-Reasoning-Distilled-v2-GGUF) which is not an official Qwen release. Model could be modified.
scripts/install.sh:99 Document that a third-party distilled model is used. Consider verifying the model's integrity or using an official Qwen repository.
低危 权限提升
Hardcoded internal IP addresses expose infrastructure
172.18.0.1 is hardcoded in SKILL.md, mind_wander_config.py, and install.sh as the Ollama and FalkorDB endpoint. This exposes Docker/internal network topology.
SKILL.md:111 Use environment variables for all connection endpoints. Document expected network topology without exposing specific IPs.
还有 1 项发现未展开显示
声明能力 vs 实际能力
文件系统 阻止
声明 READ
→ 推断 WRITE
scripts/tools.py:elevate() writes MENTAL_EXPLORATION.md; scripts/wander_graph.py:regenerate_dead_ends_file() writes DEAD_ENDS.md; scripts/install.sh creates ON_YOUR_MIND.md 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/tools.py:sandbox_run() → subprocess.run(['python3', '-c', safe_code]) executes arbitrary Python; scripts/install.sh runs pip, cp, chmod, curl 网络访问 阻止
声明 NONE
→ 推断 READ+WRITE
scripts/tools.py:search_web() POSTs to api.perplexity.ai; scripts/wander_graph.py:embed_sync() POSTs to Ollama; scripts/install.sh downloads from bootstrap.pypa.io and HuggingFace 数据库 阻止
声明 NONE
→ 推断 READ+WRITE
scripts/tools.py:query_graph() reads/writes FalkorDB 'workspace' graph; scripts/wander_graph.py:record_dead_end_to_graph() writes 'wander' graph 环境变量 阻止
声明 NONE
→ 推断 READ
scripts/tools.py:search_web() reads ~/.openclaw/openclaw.json for API key; scripts/run.py reads os.environ for config values 技能调用 阻止
声明 NONE
→ 推断 WRITE
scripts/install.sh registers cron jobs via gateway API; SKILL.md does not mention persistence mechanism 可疑产物与外联
高危 IP 地址
172.18.0.1 SKILL.md:111
中危 外部 URL
http://172.18.0.1:11436 SKILL.md:111
中危 外部 URL
https://doi.org/10.1038/nrn.2016.113 references/research.md:21
中危 外部 URL
https://doi.org/10.1038/nrn1607 references/research.md:27
中危 外部 URL
https://arxiv.org/abs/2409.02685 references/research.md:33
中危 外部 URL
https://bootstrap.pypa.io/get-pip.py scripts/install.sh:75
中危 外部 URL
https://api.perplexity.ai/chat/completions scripts/tools.py:130
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| huggingface_hub | * | pip | 否 | Version not pinned in install.sh |
| httpx | * | pip | 否 | Version not pinned in install.sh |
| falkordb | * | pip | 否 | Version not pinned in install.sh |
| numpy | * | pip | 否 | Version not pinned in install.sh |
| Jackrong/Qwen3.5-9B-Claude-4.6-Opus-Reasoning-Distilled-v2-GGUF | unknown | HuggingFace third-party | 否 | Third-party model repo, not official Qwen — integrity not verifiable |
文件构成
11 个文件 · 2167 行
Python 7 个文件 · 1654 行Markdown 3 个文件 · 301 行Shell 1 个文件 · 212 行
需关注文件 · 4
scripts/tools.py Undeclared arbitrary Python code execution via sandbox_run() · Undeclared credential file access · Weak sandbox BLOCKED-list trivially bypassed · https://api.perplexity.ai/chat/completions
scripts/install.sh Undeclared cron job registration on install · Unpinned pip dependencies in install.sh · Third-party model download from HuggingFace · https://bootstrap.pypa.io/get-pip.py
SKILL.md SKILL.md tool table omits 4 of 8 tools · Hardcoded internal IP addresses expose infrastructure · Skill description overstates local-only nature · 172.18.0.1 · http://172.18.0.1:11436
references/research.md https://doi.org/10.1038/nrn.2016.113 · https://doi.org/10.1038/nrn1607 · https://arxiv.org/abs/2409.02685
其他文件 · agent.py · wander_graph.py · run.py · prompt.py · mind_wander_config.py · collector.py +1
安全亮点
sandbox_run() has a timeout (30s) and line limit (50 lines) — some resource controls exist
sandbox_run() blocks some dangerous imports (subprocess, socket, urllib, requests, httpx, eval, exec, __import__) — at least a basic denylist is present
read_file() has a workspace boundary check to prevent path traversal
The novelty gate (strict criteria for elevate()) means most outputs are benign — findings written to a markdown file
Dead ends are tracked to avoid redundant exploration — reduces unnecessary file writes
SKILL.md exists and provides a reasonable description of the high-level concept
Code is well-structured with docstrings explaining each function's purpose
Uses standard, well-known libraries (httpx, falkordb) rather than obscure custom crypto