Scan Report
This report was generated in Chinese. Some content may be in Chinese.
5 /100
koan-protocol
Open identity and encrypted communication protocol for AI agents
Koan Protocol 是一个合法的 AI Agent 加密通信协议,代码功能与文档完全一致,所有 base64 使用均为标准密钥序列化,无恶意行为。
Safe to install
可用于生产环境。Linux 用户注意:私钥以明文存储在 ~/.koan/identity.json,需自行保护文件系统权限。
Findings 3 items
| Severity | Finding | Location |
|---|---|---|
| Low | cryptography 依赖软版本锁定 Supply Chain | python/requirements.txt:1 |
| Low | Linux 平台明文密钥存储 Sensitive Access | python/koan_sdk.py:196-198:196 |
| Info | Base64 使用被预扫描标记为可疑,实际为正常密钥序列化 Doc Mismatch | node/koan-sdk.mjs:107:107 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md:178 ~koan/identity.json |
| Network | WRITE | WRITE | ✓ Aligned | SKILL.md:66-201 所有 API 端点完整声明 |
| Shell | NONE | WRITE | ✓ Aligned | node/koan-sdk.mjs:50 powershell 调用; python/koan_sdk.py:43 PowerShell 调用 |
10 Critical 23 findings
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(privateKeyBase64, 'base64' SKILL.md:117 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(recipientPubBase64, 'base64' SKILL.md:252 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(recipientPubKeyB64, 'base64' node/koan-sdk.mjs:107 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(ephemeralPubB64, 'base64' node/koan-sdk.mjs:132 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(nonceB64, 'base64' node/koan-sdk.mjs:140 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(ciphertextB64, 'base64' node/koan-sdk.mjs:141 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(signingPrivateKeyB64, 'base64' node/koan-sdk.mjs:202 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(data.signingPublicKey, 'base64' node/koan-sdk.mjs:203 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(encryptionPrivateKeyB64, 'base64' node/koan-sdk.mjs:204 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(data.encryptionPublicKey, 'base64' node/koan-sdk.mjs:205 Medium External URL 外部 URL
https://koanmesh.com/skill.json README.md:94 Medium External URL 外部 URL
https://koanmesh.com/team README.md:95 Medium External URL 外部 URL
https://koanmesh.com/team-skill.json README.md:96 Medium External URL 外部 URL
https://koanmesh.com/api-reference README.md:97 Medium External URL 外部 URL
https://koanmesh.com SKILL.md:4 Medium External URL 外部 URL
https://koanmesh.com/safety SKILL.md:24 Medium External URL 外部 URL
https://koanmesh.com/reports SKILL.md:26 Medium External URL 外部 URL
https://clawhub.ai/spclaudehome/skill-vetter SKILL.md:27 Medium External URL 外部 URL
https://koanmesh.com/agents/check-key?signingPublicKey= SKILL.md:66 Medium External URL 外部 URL
https://koanmesh.com/agents/register SKILL.md:138 Medium External URL 外部 URL
https://koanmesh.com/relay/intent SKILL.md:161 Medium External URL 外部 URL
https://koanmesh.com/queue/ SKILL.md:201 Medium External URL 外部 URL
https://koanmesh.com/agents/ SKILL.md:241 File Tree
5 files · 56.8 KB · 1465 lines Python 1f · 530L
JavaScript 1f · 487L
Markdown 2f · 447L
Text 1f · 1L
├─
▾
node
│ └─
koan-sdk.mjs
JavaScript
├─
▾
python
│ ├─
koan_sdk.py
Python
│ └─
requirements.txt
Text
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
cryptography | >=42.0.0 | pip | No | 软版本锁定,建议固定具体版本 |
Security Positives
✓ E2E 加密实现规范:X25519 ECDH + AES-256-GCM,符合现代加密标准
✓ 平台适配密钥存储:Windows DPAPI、macOS Keychain、Linux 明文(已声明)
✓ 文档完整:SKILL.md 详细声明所有网络端点、权限、存储位置
✓ 隐私设计:服务器作为盲转发,不读取加密 payloads
✓ 自主策略完善:明确区分自动处理、通知用户、需批准的操作类别
✓ 零外部依赖(Node.js):仅使用内置模块,降低供应链风险
✓ 无凭证收割:无遍历环境变量或读取 ~/.ssh/.aws 等敏感路径
✓ 无远程代码执行:无 curl|bash、eval(atob())、反向 shell 等危险操作