安全决策报告
x-scout
X-Scout performs undeclared analytics phone-home on every execution and stores credentials in plaintext at ~/.x-scout/config.json, with shell execution via subprocess undocumented in SKILL.md.
最直接的威胁证据
01
User runs setup.sh which silently registers install metadata to clawagents.dev 初始入口 · setup.sh
02
On every x_scout.py execution, query hashes and metadata are POSTed to clawagents.dev usage · x_scout.py
03
API keys stored in plaintext at ~/.x-scout/config.json (sensitive path) 持久化 · x_scout.py
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 13 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
User runs setup.sh which silently registers install metadata to clawagents.dev
初始入口 · setup.sh:165
02
On every x_scout.py execution, query hashes and metadata are POSTed to clawagents.dev
usage · x_scout.py:100
03
API keys stored in plaintext at ~/.x-scout/config.json (sensitive path)
持久化 · x_scout.py:165
风险分是怎么被拉高的
Undeclared analytics phone-home +25
POSTs to clawagents.dev/usage on every run with query hashes, install_id, mode, and result counts. Not declared in SKILL.md.
Undeclared shell execution +15
subprocess.run() used for yt-dlp, ffmpeg, pip install in x_scout.py. setup.sh uses bash and pip. Not declared in allowed-tools or SKILL.md.
Sensitive path credential storage +15
Writes all API keys in plaintext to ~/.x-scout/config.json. No mention in SKILL.md of file write to HOME directory.
最关键的证据
高危 数据外泄
Silent phone-home analytics on every execution
x_scout.py reports usage to https://clawagents.dev/reddit-rank/v1/xs/usage on every CLI invocation. Payload includes install_id, version, mode, query_hash (SHA256 of search terms), results count, and timestamp. This behavior is not declared in SKILL.md and sends search queries to an external server.
x_scout.py:100 Document this behavior in SKILL.md or make it opt-in with a --no-analytics flag. Users should be informed that search queries are hashed and sent to clawagents.dev.
高危 数据外泄
Setup registration phone-home with API key presence
setup.sh POSTs install metadata to https://clawagents.dev/reddit-rank/v1/xs/register including which optional API keys are configured (has_openrouter, has_cerebras, has_deepgram booleans). This reveals what services the user has enabled.
setup.sh:165 Remove the registration phone-home or declare it prominently in setup.sh output and SKILL.md.
中危 凭证窃取
Plaintext credential storage in sensitive path
All API keys (TWITTERAPI_KEY, OPENROUTER_API_KEY, CEREBRAS_API_KEYS, DEEPGRAM_API_KEY) are written in plaintext to ~/.x-scout/config.json. This is a sensitive path (~/.x-scout) that could be targeted by credential theft malware.
x_scout.py:165 Either use system keychain (keyring) or document this storage location in SKILL.md with a warning about plaintext storage.
中危 文档欺骗
Undeclared shell execution via subprocess
SKILL.md does not declare any shell execution capability. However, x_scout.py uses subprocess.run() to execute yt-dlp, ffmpeg, and pip install commands. setup.sh executes bash scripts and pip. This is a mismatch between documented and actual capabilities.
x_scout.py:280 Document shell:WRITE permission and list the tools (yt-dlp, ffmpeg) that will be executed.
中危 供应链
Unpinned dependencies in requirements.txt
requirements.txt specifies 'requests>=2.28.0' and 'python-dotenv>=1.0.0' without upper bounds. This allows dependency confusion or malicious package updates to be installed silently.
requirements.txt:1 Pin exact versions (e.g., requests==2.31.0) to prevent supply chain attacks.
低危 文档欺骗
Analytics registration endpoint reveals skill branding
The analytics URL 'clawagents.dev/reddit-rank/v1/xs/...' contains 'reddit-rank' which suggests this code may have been adapted from a Reddit-focused tool. SKILL.md branding as 'X-Scout' for Twitter scraping appears different from the analytics endpoint naming.
setup.sh:15 Use consistent branding in analytics endpoints.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
x_scout.py:~100 writes ~/.x-scout/config.json 网络访问 通过
声明 READ
→ 推断 READ+WRITE
x_scout.py:~100 POSTs analytics to clawagents.dev 命令执行 阻止
声明 NONE
→ 推断 WRITE
x_scout.py:subprocess.run for yt-dlp/ffmpeg 环境变量 通过
声明 READ
→ 推断 READ
os.environ.get for API keys 可疑产物与外联
中危 外部 URL
https://clawagents.dev/x-scout SKILL.md:15
中危 外部 URL
https://x.com/user/status/123456 SKILL.md:59
中危 外部 URL
https://clawagents.dev/reddit-rank/v1/xs/register setup.sh:8
中危 外部 URL
https://twitterapi.io setup.sh:109
中危 外部 URL
https://openrouter.ai$ setup.sh:125
中危 外部 URL
https://cerebras.ai setup.sh:137
中危 外部 URL
https://deepgram.com setup.sh:149
中危 外部 URL
https://x.com/user/status/123\ setup.sh:223
中危 外部 URL
https://api.twitterapi.io/twitter x_scout.py:67
中危 外部 URL
https://openrouter.ai/api/v1 x_scout.py:71
中危 外部 URL
https://api.cerebras.ai/v1/chat/completions x_scout.py:75
中危 外部 URL
https://clawagents.dev/reddit-rank/v1/xs/usage x_scout.py:97
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| requests | >=2.28.0 | pip | 否 | Version not pinned, only lower bound specified |
| python-dotenv | >=1.0.0 | pip | 否 | Version not pinned, only lower bound specified |
文件构成
4 个文件 · 1566 行
Python 1 个文件 · 1228 行Shell 1 个文件 · 225 行Markdown 1 个文件 · 111 行Text 1 个文件 · 2 行
需关注文件 · 4
x_scout.py Silent phone-home analytics on every execution · Plaintext credential storage in sensitive path · Undeclared shell execution via subprocess · https://api.twitterapi.io/twitter · https://openrouter.ai/api/v1 · https://api.cerebras.ai/v1/chat/completions · https://clawagents.dev/reddit-rank/v1/xs/usage · https://api.deepgram.com/v1/listen
setup.sh Setup registration phone-home with API key presence · Analytics registration endpoint reveals skill branding · https://clawagents.dev/reddit-rank/v1/xs/register · https://twitterapi.io · https://openrouter.ai$ · https://cerebras.ai · https://deepgram.com · https://x.com/user/status/123\
SKILL.md https://clawagents.dev/x-scout · https://x.com/user/status/123456
requirements.txt Unpinned dependencies in requirements.txt
安全亮点
No base64-encoded execution or obfuscated code detected
No direct IP network requests or C2 communication patterns
No credential exfiltration (keys used only for API calls, not sent elsewhere)
No attempts to access ~/.ssh, ~/.aws, or other credential paths
No reverse shell or RCE attempts
Error handling is present (timeouts, try/catch blocks)
API keys read from environment are not transmitted to analytics