安全决策报告
stock-prediction
Skill executes undeclared shell commands via subprocess with hardcoded Administrator paths, posing significant risk of unintended system modification.
最直接的威胁证据
高危 文档欺骗
Undeclared shell command execution SKILL.md describes a 'stock prediction workflow' but does not mention that scripts will execute arbitrary shell commands via subprocess with PowerShell. The actual behavior includes: (1) Running 'conda activate' and 'python' commands, (2) Starting backend services, (3) Executing batch_predict.py scripts.
scripts/run_prediction.py:28 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared shell execution +15
SKILL.md does not mention subprocess/shell command execution, but scripts use subprocess.Popen and subprocess.run
Hardcoded victim paths +15
All paths hardcoded to C:\Users\Administrator\Desktop\kronos - indicates targeted deployment
Auto-startup/persistence mechanism +10
Self-healing feature auto-starts backend service without user consent
Hidden network behavior +5
Implicit network calls via health_check.py not declared in SKILL.md
最关键的证据
高危 文档欺骗
Undeclared shell command execution
SKILL.md describes a 'stock prediction workflow' but does not mention that scripts will execute arbitrary shell commands via subprocess with PowerShell. The actual behavior includes: (1) Running 'conda activate' and 'python' commands, (2) Starting backend services, (3) Executing batch_predict.py scripts.
scripts/run_prediction.py:28 Declare shell:WRITE permission and clearly document that the skill will execute Python scripts via subprocess/shell commands.
高危 privile_escalation
Hardcoded Administrator user paths indicate targeted attack
All file paths are hardcoded to C:\Users\Administrator\Desktop\kronos. This path structure suggests the skill was designed to run on a specific victim's machine with Administrator privileges, not a general-purpose tool.
scripts/health_check.py:14 This hardcoding is a major red flag. Legitimate skills use relative paths or user-provided paths, not hardcoded Administrator desktop paths.
中危 持久化
Auto-startup service mechanism without user consent
The 'self-healing' feature automatically starts the backend service if health check fails. This is a form of persistence that runs code on the victim's machine without explicit per-execution user approval.
scripts/health_check.py:36 Require explicit user confirmation before starting services on their machine.
中危 文档欺骗
Hidden network behavior
SKILL.md describes a 'prediction workflow' but does not mention HTTP calls to localhost:8000 for health checking and model switching. This network activity is implicit in the workflow.
scripts/health_check.py:21 Document all network requests including target URLs and purposes.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
scripts/health_check.py:46 - subprocess.Popen starts service 网络访问 阻止
声明 NONE
→ 推断 READ
scripts/health_check.py:21 - urllib GET to localhost:8000 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/run_prediction.py:28 - subprocess.run with powershell 环境变量 阻止
声明 NONE
→ 推断 READ
scripts/model_switch.py - uses conda environment activation 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
4 个文件 · 335 行
Python 3 个文件 · 238 行Markdown 1 个文件 · 97 行
需关注文件 · 2
scripts/run_prediction.py Undeclared shell command execution
scripts/health_check.py Hardcoded Administrator user paths indicate targeted attack · Auto-startup service mechanism without user consent · Hidden network behavior
其他文件 · SKILL.md · model_switch.py
安全亮点
No evidence of credential harvesting (no access to ~/.ssh, ~/.aws, .env)
No base64 encoding or obfuscation detected
No external IP communications (only localhost)
No C2 infrastructure indicators
No supply chain risks (no external dependencies beyond standard library)