Skill Trust Decision
search
SKILL.md声明仅使用web_fetch进行网络搜索,但代码实际通过api.exec()执行本地Python脚本,且硬编码了Tavily API密钥,存在声明-行为不符的阴影功能。
Most direct threat evidence
01
用户通过SKILL.md了解此技能为网络搜索工具 Entry · SKILL.md
02
调用search_web时实际执行api.exec()运行本地脚本 Escalation · plugin.ts
03
通过api.exec()可执行任意命令,绕过web_fetch的网络隔离 Impact · plugin.ts
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
5 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
用户通过SKILL.md了解此技能为网络搜索工具
Entry · SKILL.md:1
02
调用search_web时实际执行api.exec()运行本地脚本
Escalation · plugin.ts:64
03
通过api.exec()可执行任意命令,绕过web_fetch的网络隔离
Impact · plugin.ts:64
What drove the risk score up
未声明的shell执行 +20
SKILL.md仅声明search_web使用web_fetch,但plugin.ts:64使用api.exec()执行本地Python脚本
硬编码API密钥 +15
providers/tavily.ts:25和plugin.ts:66硬编码了Tavily开发密钥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
硬编码Windows路径 +10
plugin.ts:65存在D:\winopenclaw路径,代码意图不清晰且不可移植
Most important evidence
High Doc Mismatch
未声明的本地脚本执行
SKILL.md声明search_web使用web_fetch进行网络搜索,但plugin.ts:64实际通过api.exec()执行本地Python脚本D:\winopenclaw\workspace\skills\_legacy\tavily\search_tavily_news.py,这是典型的阴影功能
plugin.ts:64 删除api.exec()调用,改用HTTP API直接调用Tavily服务
High Credential Theft
硬编码API密钥泄露风险
在providers/tavily.ts:25和plugin.ts:66硬编码了Tavily开发API密钥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,任何能访问代码的人都可以使用此密钥
providers/tavily.ts:25 移除硬编码密钥,仅使用环境变量TAVILY_API_KEY
Medium Priv Escalation
声明权限与实际能力不符
SKILL.md未声明任何shell或filesystem权限,但代码推断出shell:WRITE和filesystem:READ权限,用户无法根据文档评估真实风险
plugin.ts:1 更新SKILL.md明确声明所需权限
Medium Supply Chain
无依赖版本锁定
代码中使用了crypto模块但未在package.json中声明,且无版本锁定,可能引入恶意依赖
cache.ts:20 创建package.json并声明所有依赖及版本
Low Doc Mismatch
代码结构混乱
plugin.ts存在重复的searxng和multi分支逻辑,代码质量低下可能导致安全隐患
plugin.ts:108 重构代码消除重复逻辑
Declared capability vs actual capability
Network Pass
Declared READ
→ Inferred READ
SKILL.md声明web_fetch用于搜索 Shell Block
Declared NONE
→ Inferred WRITE
plugin.ts:64 api.exec()调用本地Python脚本 Filesystem Block
Declared NONE
→ Inferred READ
api.exec()执行本地路径D:\winopenclaw\workspace\skills\_legacy\tavily\search_tavily_news.py Suspicious artifacts and egress
Medium External URL
http://127.0.0.1:8080 plugin.ts:74
Medium External URL
https://www.baidu.com/s?wd=$ plugin.ts:147
Medium External URL
https://cn.bing.com/search?q=$ plugin.ts:148
Medium External URL
https://www.google.com/search?q=$ plugin.ts:149
Medium External URL
https://api.tavily.com/search providers/tavily.ts:12
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| crypto | built-in | nodejs | No | Node.js内置模块 |
File composition
8 files · 465 lines
TypeScript 5 files · 389 linesYAML 1 files · 46 linesMarkdown 1 files · 25 linesJSON 1 files · 5 lines
Files of concern · 3
plugin.ts 未声明的本地脚本执行 · 声明权限与实际能力不符 · 代码结构混乱 · http://127.0.0.1:8080 · https://www.baidu.com/s?wd=$ · https://cn.bing.com/search?q=$ · https://www.google.com/search?q=$
cache.ts 无依赖版本锁定
providers/tavily.ts 硬编码API密钥泄露风险 · https://api.tavily.com/search
Other files · skill.yaml · multi.ts · searxng.ts · SKILL.md · _meta.json
Security positives
使用fetch进行网络请求,行为可追踪
代码中有中文注释便于理解意图
包含SearchCache实现,有基本的性能优化意识
使用环境变量SEARXNG_URL配置,无硬编码服务器地址