安全决策报告
authlock
AuthLock provides legitimate TOTP-based secret encryption but contains an undocumented subprocess execution feature with shell=True that poses command injection risk.
最直接的威胁证据
高危
Shell command injection vulnerability in --exec The cmd_open function uses subprocess.run(shell=True) with the user-supplied --exec argument. While the example shows legitimate use for SSH, the command is not sanitized and could allow command injection if metacharacters are included in args.exec.
authlock_cli.py:336 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
发现 3 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Shell injection risk in subprocess +20
cmd_open uses subprocess.run(shell=True) with user-supplied exec argument without validation
Sensitive path access documented +10
~/.ssh/id_rsa and similar sensitive files are explicitly mentioned in examples
Remote execution capability +5
--exec flag allows command execution, partially documented in SKILL.md
最关键的证据
高危
Shell command injection vulnerability in --exec
The cmd_open function uses subprocess.run(shell=True) with the user-supplied --exec argument. While the example shows legitimate use for SSH, the command is not sanitized and could allow command injection if metacharacters are included in args.exec.
authlock_cli.py:336 Use subprocess.run with shell=False and pass command as list, or implement strict input validation to prevent shell injection.
中危
Sensitive path access not prominently documented
The SKILL.md examples show encrypting ~/.ssh/id_rsa but this sensitive path access is not declared in the capability requirements section.
SKILL.md:45 Document that the tool accesses user home directory and sensitive files for encryption purposes.
低危
TOTP seed stored in plaintext config
The TOTP seed is stored in config.json without additional encryption beyond file permissions. While this is standard practice, the seed is the critical secret.
authlock_cli.py:103 Consider documenting that config.json should be protected with appropriate file permissions.
声明能力 vs 实际能力
文件系统 通过
声明 READ,WRITE
→ 推断 READ,WRITE
SKILL.md:seal/open commands; authlock_cli.py:cmd_seal,cmd_open 命令执行 阻止
声明 NONE
→ 推断 WRITE
authlock_cli.py:336 - subprocess.run(cmd, shell=True) 环境变量 通过
声明 NONE
→ 推断 READ
SKILL.md:OPENCLAW_WORKSPACE,AUTHLOCK_HOME usage 网络访问 通过
声明 NONE
→ 推断 NONE
No network requests found 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| cryptography | * | pip | 否 | Standard encryption library |
| pyotp | * | pip | 否 | TOTP generation |
| qrcode | * | pip | 否 | QR code display |
文件构成
2 个文件 · 986 行
Python 1 个文件 · 728 行Markdown 1 个文件 · 258 行
需关注文件 · 2
authlock_cli.py Shell command injection vulnerability in --exec · TOTP seed stored in plaintext config
SKILL.md Sensitive path access not prominently documented
安全亮点
TOTP-based MFA provides strong authentication for decryption
AES-256-GCM with PBKDF2-SHA256 for encryption (industry standard)
No evidence of network exfiltration or data theft
Security notes prohibit echoing plaintext in conversation
PIN optional second factor implemented
Temporary files cleaned up after execution
File permissions set to 0o600 for decrypted secrets