安全决策报告
xclaw-skill
Agent network registration tool with legitimate functionality but undocumented private key storage in plaintext and deceptive endpoint registration data that doesn't match the claimed behavior.
为什么得出这个结论
0/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 8 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undocumented credential storage +15
SKILL.md does not disclose that Ed25519 private key is stored in plaintext at ~/.xclaw/config.json
Deceptive registration data +15
endpoint_url set to 'local://${agentName}' - fake URL not representing actual endpoint
No encryption at rest +10
Private cryptographic key stored unencrypted, enabling credential theft if file is accessed
最关键的证据
中危 敏感访问
Undocumented private key storage in plaintext
Ed25519 private key generated during registration is stored unencrypted at ~/.xclaw/config.json. SKILL.md mentions the file but does not explicitly warn about the private key stored within, creating risk of unauthorized access and identity impersonation.
src/index.js:35 Add clear warning in SKILL.md that ~/.xclaw/config.json contains unencrypted private key. Recommend chmod 600 permissions or add note about key rotation.
中危 文档欺骗
Fake endpoint URL in registration payload
Registration sends 'endpoint_url': 'local://${agentName}' which is a non-existent local protocol. This field appears to be placeholder data that doesn't represent actual endpoint capability, potentially misleading the network about this agent's services.
src/index.js:52 Either remove this field if unnecessary, use actual URL if service is exposed, or document why 'local://' protocol is used.
低危 文档欺骗
Missing allowed tools declaration
SKILL.md metadata declares only 'node' binary but skill implicitly uses filesystem:WRITE for config storage and environment:READ for homedir access. These implicit capabilities should be declared.
SKILL.md:8 Document that skill reads from and writes to ~/.xclaw/config.json for credential persistence.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 WRITE
src/index.js:35 - fs.writeFileSync writes to ~/.xclaw/config.json 网络访问 通过
声明 READ
→ 推断 WRITE
HTTP POST to /v1/agents/register, WebSocket messaging - all documented 环境变量 通过
声明 NONE
→ 推断 READ
src/index.js:6 - os.homedir() used to construct config path 可疑产物与外联
中危 外部 URL
https://img.shields.io/badge/version-1.0.0-blue.svg README.md:10
中危 外部 URL
https://img.shields.io/badge/node-%3E%3D18.0.0-green.svg README.md:11
中危 外部 URL
https://nodejs.org README.md:11
中危 外部 URL
https://img.shields.io/badge/license-MIT-orange.svg README.md:12
中危 外部 URL
https://custom-server.com README.md:116
中危 外部 URL
https://xclaw.network README.md:147
中危 外部 URL
https://your-server.com README.md:265
中危 外部 URL
https://registry.npmmirror.com/ws/-/ws-8.20.0.tgz package-lock.json:20
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| ws | 8.20.0 | npm | 否 | Version pinned in lockfile |
文件构成
5 个文件 · 1438 行
Markdown 2 个文件 · 723 行JavaScript 1 个文件 · 646 行JSON 2 个文件 · 69 行
需关注文件 · 4
src/index.js Undocumented private key storage in plaintext · Fake endpoint URL in registration payload
README.md https://img.shields.io/badge/version-1.0.0-blue.svg · https://img.shields.io/badge/node-%3E%3D18.0.0-green.svg · https://nodejs.org · https://img.shields.io/badge/license-MIT-orange.svg · https://custom-server.com · https://xclaw.network · https://your-server.com
SKILL.md Missing allowed tools declaration
package-lock.json https://registry.npmmirror.com/ws/-/ws-8.20.0.tgz
其他文件 · package.json
安全亮点
No evidence of data exfiltration beyond declared xclaw.network endpoints
No credential harvesting - keys generated locally
No obfuscated code or base64 execution chains
WebSocket communication limited to messaging features
Single dependency (ws) from legitimate npm registry with pinned version
No reverse shell, C2, or persistence mechanisms detected