安全决策报告

Rune

Name: Rune 可信度判断报告
Item: Rune
Rating: 55
Author: ClawSafe

A large, multi-file AI skill mesh (82 files) with legitimate code assistance purpose but containing multiple high-risk command patterns embedded in documentation examples, including base64 decoding, SSRF proof-of-concept payloads, and curl|sh detection guidance that inadvertently demonstrates the technique.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 82

IOC 64

越权项 0

发现 5

最直接的威胁证据

严重编码执行

base64 -d

为什么得出这个结论

1/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

阻止

隐藏执行与外联

提取到 5 个高危 IOC 或外联信号。

通过

攻击链与高危发现

没有形成明确的恶意路径。

复核

依赖与供应链卫生

没有完整依赖信息，供应链判断需要保留弹性。

风险分是怎么被拉高的

SSRF PoC with live metadata service IP +20

rune-ext-security.md:491 documents live SSRF target http://169.254.169.254/latest/meta-data/ as proof-of-concept

curl|sh pattern documented in supply-chain skill +15

rune-ext-security.md:606 Step 5 references curl|sh as detection target but the example context is instructive, not executable

base64 -d used for provisioning profile decoding +5

rune-ext-mobile.md:527 legitimate iOS tooling for .mobileprovision files, not obfuscation

Hardcoded IPs in documentation +5

203.0.113.1 (rune-ext-devops.md:846) is a TEST-NET placeholder; 169.254.169.254 is AWS metadata but used in SSRF defense context

最关键的证据

中危敏感访问

SSRF proof-of-concept with live metadata service IP

rune-ext-security.md pentest-patterns skill documents a live SSRF target (AWS EC2 metadata service at 169.254.169.254) as a proof-of-concept payload. While framed as defensive documentation showing what to protect against, the explicit curl command with the actual IP creates risk if copied verbatim into an unsafe context.

skills/rune-ext-security.md:491

Replace live IP with a clearly-marked placeholder like YOUR_AWS_METADATA_IP or localhost:9999/metadata. Add explicit warnings that this PoC must only run against authorized test targets.

低危文档欺骗

curl|sh pattern referenced without clear anti-pattern framing

The supply-chain skill in rune-ext-security.md:606 references curl|sh as a detection target. While this is a legitimate defensive use (flagging malicious install scripts), the pattern appears without sufficiently clear 'DO NOT EXECUTE' framing, risking confusion.

skills/rune-ext-security.md:606

Re-frame the detection guidance to clearly separate: (1) HOW to detect curl|sh in package scripts, (2) explicit warning that curl|sh must NEVER be executed in production or automated pipelines.

低危代码执行

base64 -d for provisioning profile decoding

rune-ext-mobile.md:527 uses base64 -d to decode a downloaded .mobileprovision file. This is standard iOS code signing tooling and not obfuscation, but base64 decoding can be used for obfuscation so it's flagged here.

skills/rune-ext-mobile.md:527

No action needed — this is legitimate iOS tooling. Consider adding a comment explicitly stating this is decoding an App Store Connect API response.

提示文档欺骗

Placeholder IP addresses in DNS documentation

rune-ext-devops.md:846 uses 203.0.113.1 (TEST-NET-3, a documentation-only IP range per RFC 5737) in DNS A record examples. This is legitimate documentation practice.

skills/rune-ext-devops.md:846

No action needed — 203.0.113.1 is a reserved TEST-NET IP appropriate for documentation.

提示文档欺骗

rm -rf / in sentinel pattern table

rune-sentinel.md:145 references rm -rf / as a destructive command pattern to detect. This is part of sentinel's security scanning documentation and not actual execution.

skills/rune-sentinel.md:145

No action needed — this is sentinel's detection pattern table, not executable code.

声明能力 vs 实际能力

文件系统 通过

声明 NONE

→

推断 NONE

No file write operations in markdown skills

网络访问 通过

声明 NONE

→

推断 READ

Skills reference external URLs for documentation (rune-kit.github.io, context7.com)

命令执行 通过

声明 NONE

→

推断 READ

Shell commands documented as examples in ios-build-pipeline, supply-chain, and pentest-patterns skills

环境变量 通过

声明 NONE

→

推断 NONE

No direct environment variable access in skill code

可疑产物与外联

严重编码执行

base64 -d

skills/rune-ext-mobile.md:527

严重危险命令

curl | sh

skills/rune-ext-security.md:606

严重危险命令

rm -rf /

skills/rune-sentinel.md:145

高危 IP 地址

203.0.113.1

skills/rune-ext-devops.md:846

高危 IP 地址

169.254.169.254

skills/rune-ext-security.md:491

中危外部 URL

https://rune-kit.github.io/rune

README.md:42

中危外部 URL

https://rune-kit.github.io/rune/guides

README.md:43

中危外部 URL

http://www.w3.org/2000/svg

skills/rune-asset-creator.md:75

中危外部 URL

https://context7.com/

skills/rune-docs-seeker.md:64

中危外部 URL

https://context7.com/websites/

skills/rune-docs-seeker.md:70

中危外部 URL

https://accounts.google.com

skills/rune-ext-backend.md:447

中危外部 URL

https://en.wikipedia.org/wiki/Artificial_intelligence

skills/rune-ext-chrome-ext.md:333

依赖与供应链

没有结构化依赖告警。

文件构成

82 个文件 · 37300 行

Markdown 78 个文件 · 34926 行JSON 2 个文件 · 1683 行TypeScript 1 个文件 · 533 行JavaScript 1 个文件 · 158 行

需关注文件 · 7

skills/rune-ext-content.md Markdown · 1844 行

http://www.w3.org/2005/Atom · https://schema.org/BlogPosting · https://schema.org/Person · https://img.youtube.com/vi/$ · https://www.youtube-nocookie.com/embed/$ · https://player.vimeo.com/video/$ · https://schema.org · [email protected] · [email protected]

skills/rune-ext-zalo.md Markdown · 1855 行

https://openapi.zalo.me/v3.0/oa · https://openapi.zalo.me/v2.0/oa · https://openapi.zalo.me/v3.0/oa/message/cs · https://openapi.zalo.me/v2.0/oa/upload/image · https://openapi.zalo.me/v2.0/oa/upload/file · https://cdn.example.com/product-a.jpg · https://cdn.example.com/product-b.jpg · https://openapi.zalo.me/v3.0/oa/user/getlist?offset=0&count=50 · https://openapi.zalo.me/v3.0/oa/user/detail?user_id=4337842264521611405 · https://openapi.zalo.me/v3.0/oa/tag/tagfollower · https://openapi.zalo.me/v3.0/oa/tag/rmfollowerfromtag · https://openapi.zalo.me/v3.0/oa/message/promotion · https://developers.zalo.me · https://yourapp.com/auth/zalo/callback · https://oauth.zaloapp.com/v4/oa/permission?$ · https://oauth.zaloapp.com/v4/oa/access_token · https://openapi.zalo.me/v3.0/oa/$ · https://your-domain.com/webhook/zalo · https://xxxx.ngrok.io

skills/rune-ext-backend.md Markdown · 1011 行

https://accounts.google.com

skills/rune-ext-saas.md Markdown · 900 行

https://api.polar.sh/v1/checkouts/

skills/rune-ext-ecommerce.md Markdown · 1147 行

https://api.frankfurter.app/latest?from=$ · https://my.sepay.vn/docs · https://qr.sepay.vn/img?acc=$ · https://sandbox.vnpayment.vn/apis/docs/huong-dan-tich-hop/ · https://sandbox.vnpayment.vn/paymentv2/vpcpay.html · https://developers.momo.vn/v3/docs/payment/api/ · https://test-payment.momo.vn/v2/gateway/api/create · https://docs.zalopay.vn/ · https://ec.europa.eu/taxation_customs/vies/rest-api/ms/$

skills/rune-ext-chrome-ext.md Markdown · 1006 行

https://en.wikipedia.org/wiki/Artificial_intelligence

skills/rune-ext-mobile.md Markdown · 954 行

base64 -d for provisioning profile decoding · base64 -d · http://www.apple.com/DTDs/PropertyList-1.0.dtd · https://u.expo.dev/your-project-id

其他文件 · rune-ext-ui.md · rune-ext-gamedev.md · rune-cook.md · rune-ext-ai-ml.md · skill-index.json

82 文件 · 1.5 MB · 37300 行

Markdown 78f · 34926LJSON 2f · 1683LTypeScript 1f · 533LJavaScript 1f · 158L

├─ ▾ 📁 skills

│ ├─ ▾ 📁 rune-slides-scripts

│ │ └─ 📜 build-deck.js JavaScript 158L · 3.9 KB

│ ├─ 📝 rune-adversary.md Markdown 293L · 13.8 KB

│ ├─ 📝 rune-asset-creator.md Markdown 169L · 6.7 KB

│ ├─ 📝 rune-audit.md Markdown 538L · 21.8 KB

│ ├─ 📝 rune-autopsy.md Markdown 272L · 10.9 KB

│ ├─ 📝 rune-ba.md Markdown 359L · 14.6 KB

│ ├─ 📝 rune-brainstorm.md Markdown 349L · 17.6 KB

│ ├─ 📝 rune-browser-pilot.md Markdown 178L · 6.2 KB

│ ├─ 📝 rune-completion-gate.md Markdown 317L · 15.9 KB

│ ├─ 📝 rune-constraint-check.md Markdown 174L · 7.4 KB

│ ├─ 📝 rune-context-engine.md Markdown 413L · 19.3 KB

│ ├─ 📝 rune-context-pack.md Markdown 169L · 6.7 KB

│ ├─ 📝 rune-cook.md Markdown 840L · 46.1 KB

│ ├─ 📝 rune-db.md Markdown 282L · 10.8 KB

│ ├─ 📝 rune-debug.md Markdown 452L · 25.5 KB

│ ├─ 📝 rune-dependency-doctor.md Markdown 246L · 7.8 KB

│ ├─ 📝 rune-deploy.md Markdown 239L · 8.8 KB

│ ├─ 📝 rune-design.md Markdown 494L · 22.8 KB

│ ├─ 📝 rune-doc-processor.md Markdown 264L · 9.0 KB

│ ├─ 📝 rune-docs-seeker.md Markdown 187L · 7.3 KB

│ ├─ 📝 rune-docs.md Markdown 383L · 13.1 KB

│ ├─ 📝 rune-ext-ai-ml.md Markdown 1132L · 44.3 KB

│ ├─ 📝 rune-ext-analytics.md Markdown 576L · 26.3 KB

│ ├─ 📝 rune-ext-backend.md Markdown 1011L · 48.5 KB

│ ├─ 📝 rune-ext-chrome-ext.md Markdown 1006L · 45.8 KB

│ ├─ 📝 rune-ext-content.md Markdown 1844L · 66.8 KB

│ ├─ 📝 rune-ext-devops.md Markdown 858L · 35.4 KB

│ ├─ 📝 rune-ext-ecommerce.md Markdown 1147L · 47.1 KB

│ ├─ 📝 rune-ext-gamedev.md Markdown 1430L · 53.3 KB

│ ├─ 📝 rune-ext-mobile.md Markdown 954L · 40.5 KB

│ ├─ 📝 rune-ext-saas.md Markdown 900L · 48.3 KB

│ ├─ 📝 rune-ext-security.md Markdown 648L · 37.8 KB

│ ├─ 📝 rune-ext-trading.md Markdown 612L · 27.5 KB

│ ├─ 📝 rune-ext-ui.md Markdown 1232L · 60.7 KB

│ ├─ 📝 rune-ext-zalo.md Markdown 1855L · 63.7 KB

│ ├─ 📝 rune-fix.md Markdown 319L · 17.2 KB

│ ├─ 📝 rune-git.md Markdown 349L · 10.2 KB

│ ├─ 📝 rune-hallucination-guard.md Markdown 229L · 9.7 KB

│ ├─ 📝 rune-incident.md Markdown 260L · 10.0 KB

│ ├─ 📝 rune-index.md Markdown 86L · 1.7 KB

│ ├─ 📝 rune-integrity-check.md Markdown 178L · 7.3 KB

│ ├─ 📝 rune-journal.md Markdown 250L · 10.0 KB

│ ├─ 📝 rune-launch.md Markdown 349L · 11.9 KB

│ ├─ 📝 rune-logic-guardian.md Markdown 261L · 11.6 KB

│ ├─ 📝 rune-marketing.md Markdown 257L · 10.9 KB

│ ├─ 📝 rune-mcp-builder.md Markdown 433L · 15.8 KB

│ ├─ 📝 rune-neural-memory.md Markdown 354L · 15.0 KB

│ ├─ 📝 rune-onboard.md Markdown 415L · 20.0 KB

│ ├─ 📝 rune-perf.md Markdown 356L · 14.6 KB

│ ├─ 📝 rune-plan.md Markdown 378L · 20.8 KB

│ ├─ 📝 rune-preflight.md Markdown 405L · 20.2 KB

│ ├─ 📝 rune-problem-solver.md Markdown 294L · 15.4 KB

│ ├─ 📝 rune-rescue.md Markdown 458L · 15.2 KB

│ ├─ 📝 rune-research.md Markdown 182L · 7.9 KB

│ ├─ 📝 rune-retro.md Markdown 429L · 17.0 KB

│ ├─ 📝 rune-review-intake.md Markdown 259L · 9.6 KB

│ ├─ 📝 rune-review.md Markdown 544L · 25.3 KB

│ ├─ 📝 rune-safeguard.md Markdown 213L · 8.5 KB

│ ├─ 📝 rune-sast.md Markdown 200L · 7.5 KB

│ ├─ 📝 rune-scaffold.md Markdown 296L · 13.0 KB

│ ├─ 📝 rune-scope-guard.md Markdown 172L · 6.5 KB

│ ├─ 📝 rune-scout.md Markdown 273L · 11.8 KB

│ ├─ 📝 rune-sentinel-env.md Markdown 264L · 11.1 KB

│ ├─ 📝 rune-sentinel.md Markdown 362L · 22.0 KB

│ ├─ 📝 rune-sequential-thinking.md Markdown 244L · 11.0 KB

│ ├─ 📝 rune-session-bridge.md Markdown 408L · 16.5 KB

│ ├─ 📝 rune-skill-forge.md Markdown 549L · 24.1 KB

│ ├─ 📝 rune-skill-router.md Markdown 455L · 25.1 KB

│ ├─ 📝 rune-slides.md Markdown 152L · 5.3 KB

│ ├─ 📝 rune-surgeon.md Markdown 228L · 9.5 KB

│ ├─ 📝 rune-team.md Markdown 521L · 21.0 KB

│ ├─ 📝 rune-test.md Markdown 598L · 28.8 KB

│ ├─ 📝 rune-trend-scout.md Markdown 155L · 5.8 KB

│ ├─ 📝 rune-verification.md Markdown 335L · 15.8 KB

│ ├─ 📝 rune-video-creator.md Markdown 213L · 7.4 KB

│ ├─ 📝 rune-watchdog.md Markdown 177L · 6.4 KB

│ ├─ 📝 rune-worktree.md Markdown 149L · 5.1 KB

│ └─ 📋 skill-index.json JSON 1651L · 39.8 KB

├─ ▾ 📁 src

│ └─ 📜 index.ts TypeScript 533L · 37.8 KB

├─ 📝 README.md Markdown 47L · 1.8 KB

├─ 📝 SKILL.md Markdown 47L · 1.8 KB

└─ 📋 openclaw.plugin.json JSON 32L · 783 B

安全亮点

SKILL.md clearly documents the mesh architecture with no hidden capabilities — 61 skills across 5 layers described transparently

sentinel skill (L2) is a dedicated security gatekeeper with OWASP pattern detection, secret scanning, and destructive command guards

supply-chain security analysis includes typosquatting detection, dependency confusion checks, and SLSA provenance verification

Skill mesh has MIT license and references public GitHub repository — no hidden monetization or suspicious distribution

Rune Pro and Business upsells are clearly branded and not embedded as hidden functionality

No .env files, no credential harvesting code, no external C2 communications detected

defense-in-depth skill provides solid multi-layer validation strategy

pentest-patterns skill documents JWT algorithm confusion, SSRF, and IDOR with remediation guidance