安全决策报告
buy-domain-helper
Skill has multiple undeclared shell execution patterns, supply-chain risk from npx -y arbitrary package execution, and potential command injection from unsanitized user inputs passed to wrangler CLI.
最直接的威胁证据
高危 权限提升
Undeclared shell execution via execSync and spawn site.js performs execSync('which cloudflared'), execSync('brew install cloudflared'), execSync(wrangler ...), spawn('cloudflared'...), spawn('npx'...) — all shell execution — but SKILL.md declares env:[] and only lists bins:[node,cloudflared,wrangler] with no shell or network declarations.
site.js:70-71, 90, 102 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 8 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared shell: execSync for wrangler and brew install +20
site.js uses execSync extensively but SKILL.md env:[] and bins:[node,cloudflared,wrangler] declare no shell execution capability. wrangler and brew are not declared as allowed tools.
Undeclared npx arbitrary package execution +15
site.js line 90: spawn('npx', ['-y', 'serve', target, ...]) downloads and executes an arbitrary unpinned npm package at runtime. Not mentioned in SKILL.md or README.
Undeclared environment variable access +10
site.js reads CF_API_TOKEN, CF_ACCOUNT_ID, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID from process.env, but SKILL.md declares env:[]. Also reads full process.env inherited to child processes.
Undeclared dependency on npm/pip package availability +5
skill relies on npx serve being available from npm registry with no version pinning or lockfile.
Command injection risk in wrangler CLI invocation +5
projectName and dir are interpolated into execSync shell strings without sanitization (lines 102, 103). Malformed input could alter wrangler behavior.
最关键的证据
高危 权限提升
Undeclared shell execution via execSync and spawn
site.js performs execSync('which cloudflared'), execSync('brew install cloudflared'), execSync(wrangler ...), spawn('cloudflared'...), spawn('npx'...) — all shell execution — but SKILL.md declares env:[] and only lists bins:[node,cloudflared,wrangler] with no shell or network declarations.
site.js:70-71, 90, 102 Declare shell:WRITE and network:READ in SKILL.md metadata. Replace brew install with a clear error message requiring manual installation. Remove npx serve or pin it as a dependency.
高危 供应链
npx -y serve downloads and executes arbitrary unpinned npm package at runtime
site.js line 90 executes 'npx -y serve' to serve static files before tunneling. This downloads and runs the latest 'serve' package from npm without version pinning, creating a supply-chain attack vector. The serve package is not in package.json dependencies.
site.js:90 Add 'serve' as a pinned dependency in package.json and invoke it via local node_modules instead of npx.
中危 文档欺骗
NETA_TOKEN environment variable declared in package.json but absent from SKILL.md
package.json clawhub.env section declares a required NETA_TOKEN env var for 'Neta AI API token', but SKILL.md declares env:[] (empty array). This undeclared environment dependency is a doc-to-code mismatch.
package.json:7 Add NETA_TOKEN to SKILL.md env array with description, or remove from package.json if unused in site.js.
中危 代码执行
Command injection risk: unsanitized user inputs in shell commands
execSync on line 102-103 interpolates projectName and dir (from user-provided CLI args) directly into a shell command string passed to wrangler. While wrangler likely handles this safely, passing arbitrary strings to shell without validation is risky.
site.js:102 Validate that projectName matches expected pattern (alphanumeric, hyphens). Enforce dir exists and is within expected paths.
中危 权限提升
Full process.env inherited by child processes
site.js line 104 passes the entire process.env to wrangler via env:{...process.env, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID}. This exposes all environment variables (including potentially sensitive ones) to the child process.
site.js:104 Pass only the specific environment variables needed (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, PATH) without spreading process.env.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
site.js:70 execSync('which cloudflared'); site.js:71 execSync('brew install cloudflared'); site.js:102 execSync(wrangler command) 网络访问 阻止
声明 NONE
→ 推断 READ
site.js:26 fetches api.cloudflare.com; site.js:90 spawns npx which reaches npm registry 环境变量 阻止
声明 NONE
→ 推断 READ
site.js:29-30 reads CF_API_TOKEN, CF_ACCOUNT_ID; site.js:104 passes full process.env to child process 文件系统 阻止
声明 NONE
→ 推断 WRITE
site.js:90 npx serve writes to disk in /tmp; wrangler deploy writes build artifacts 可疑产物与外联
中危 外部 URL
https://abc.trycloudflare.com README.md:41
中危 外部 URL
https://*.trycloudflare.com README.md:65
中危 外部 URL
https://dash.cloudflare.com/profile/api-tokens README.md:81
中危 外部 URL
https://abc123.my-site.pages.dev README.md:88
中危 外部 URL
https://dash.cloudflare.com/ README.md:110
中危 外部 URL
https://mysite.com README.md:149
中危 外部 URL
https://www.neta.art/open/ package.json:9
中危 外部 URL
https://api.cloudflare.com/client/v4 site.js:26
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| serve | unpinned | npm (via npx -y) | 否 | Not listed in package.json; downloaded at runtime via npx -y without version pin — supply-chain risk |
| cloudflared | unpinned | Homebrew | 否 | Installed via brew install if missing, not declared in package.json |
| wrangler | unpinned | npm/global | 否 | Required binary, not declared in package.json |
文件构成
4 个文件 · 420 行
Markdown 2 个文件 · 240 行JavaScript 1 个文件 · 166 行JSON 1 个文件 · 14 行
需关注文件 · 3
site.js Undeclared shell execution via execSync and spawn · npx -y serve downloads and executes arbitrary unpinned npm package at runtime · Command injection risk: unsanitized user inputs in shell commands · Full process.env inherited by child processes · https://api.cloudflare.com/client/v4
README.md https://abc.trycloudflare.com · https://*.trycloudflare.com · https://dash.cloudflare.com/profile/api-tokens · https://abc123.my-site.pages.dev · https://dash.cloudflare.com/ · https://mysite.com
package.json NETA_TOKEN environment variable declared in package.json but absent from SKILL.md · https://www.neta.art/open/
其他文件 · SKILL.md
安全亮点
No credential exfiltration — tokens are used only for Cloudflare API calls
README.md is thorough and transparently documents the tunnel, pages, and DNS layers
No base64-encoded payloads or obfuscated code
No attempt to access ~/.ssh, ~/.aws, .env, or other sensitive paths
No persistence mechanisms (cron, startup hooks, backdoors) detected
API calls are limited to official Cloudflare API endpoints