cms-meeting-monitor Security Report — Suspicious | ClawSafe

32 /100

cms-meeting-monitor

从 CMS AI慧记拉取会议内容，支持字幕模式和静默模式两种监控方式

Cross-skill subprocess invocation via undeclared `subprocess.run` calls is the primary concern—neither the SKILL.md nor the tool declarations (monitor:read, notifier:write) accurately reflect the exec/shell:WRITE nature of the code.

Skill Namecms-meeting-monitor

Duration55.3s

Enginepi

⚠

Use with caution

1) Add explicit `subprocess` or `shell:WRITE` declaration in SKILL.md if cross-skill triggers are intentional; 2) Reclassify tool categories from 'exec' to reflect actual capability footprint; 3) Audit the cms-meeting-materials dependency before production use; 4) Pin `cms-meeting-materials` skill version to avoid supply-chain drift.

Findings 5 items

Severity	Finding	Location
High	Undeclared cross-skill subprocess execution Doc Mismatch monitor.py:trigger_pull() uses subprocess.run to invoke cms-meeting-materials/scripts/huiji/trigger-pull.py. This is a shell:WRITE capability that is not declared in SKILL.md. The tool 'monitor' declares permission:read but the code actually executes an external script. `result = subprocess.run([sys.executable, str(script_dir), meeting_chat_id], capture_output=True, text=True, timeout=60)` → Add subprocess or shell:WRITE to the tool's declared permission in SKILL.md. If cross-skill triggers are intentional, document the cms-meeting-materials dependency explicitly.	`scripts/monitor.py:170`
High	Notifier also performs undeclared subprocess execution Doc Mismatch notifier.py:get_latest_fragments() imports subprocess and calls scripts from cms-meeting-materials. SKILL.md declares notifier permission:write, but the code performs read + exec operations. `import subprocess / script_dir = Path(...).parent / 'cms-meeting-materials' / 'scripts' / 'huiji'` → Align notifier's declared permission with actual behavior (exec or read+exec).	`scripts/notifier.py:48`
Medium	Tool permission declarations do not match code capabilities Priv Escalation monitor tool: category=exec, risk_level=medium, permission=read — but the code executes subprocess, which is exec-level. notifier tool: permission=write — but also executes subprocess. `- name: monitor / category: exec / permission: read` → Update SKILL.md to reflect the actual permission levels (at minimum exec:WRITE) and list the cross-skill dependency.	`SKILL.md:21`
Medium	Undeclared hard-coded dependency on cms-meeting-materials skill Supply Chain Both monitor.py and notifier.py hard-code paths to cms-meeting-materials/scripts/huiji/. If that dependency is absent or compromised, the skill fails or is exploited. No version pinning or integrity check. `script_dir = Path(__file__).resolve().parent.parent.parent / 'cms-meeting-materials' / 'scripts' / 'huiji' / 'trigger-pull.py'` → Document the cms-meeting-materials dependency in SKILL.md. Consider adding a manifest or checksum for the dependency script.	`scripts/monitor.py:165`
Low	Accesses environment variables for credentials Sensitive Access The skill reads XG_BIZ_API_KEY from os.environ. This is declared in SKILL.md metadata and is necessary for the feature, but the code does not validate or sanitize this variable. `explicit = os.environ.get('CMS_MEETING_MONITOR_ROOT') / gateway = os.environ.get('OPENCLAW_GATEWAY', 'default')` → Document what environment variables are accessed. Add input validation for meeting_chat_id to prevent path injection through this variable.	`scripts/monitor.py:40`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	scripts/monitor.py:170 — subprocess.run to trigger-pull.py
Shell	`NONE`	`WRITE`	✗ Violation	scripts/notifier.py:48 — subprocess to huiji scripts
Filesystem	`NONE`	`WRITE`	✗ Violation	scripts/monitor.py:115 — state write to ~/.openclaw/
Skill Invoke	`NONE`	`WRITE`	✗ Violation	monitor.py:170 & notifier.py:48 — cross-skill subprocess to cms-meeting-material…

File Tree

7 files · 24.9 KB · 767 lines

Python 2f · 582L Markdown 4f · 183L Text 1f · 2L

├─ ▾ 📁 design

│ ├─ 📝 DESIGN.md Markdown 32L · 1.2 KB

│ ├─ 📝 DISCUSSION-LOG.md Markdown 18L · 1.0 KB

│ └─ 📝 LEARNING-LOOP.md Markdown 18L · 521 B

├─ ▾ 📁 scripts

│ ├─ 🐍 monitor.py Python 405L · 13.3 KB

│ └─ 🐍 notifier.py Python 177L · 5.9 KB

├─ 📄 requirements.txt Text 2L · 100 B

└─ 📝 SKILL.md Markdown 115L · 3.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`cms-meeting-materials`	`unpinned`	cross-skill dependency	No	External skill dependency; scripts/huiji/trigger-pull.py is invoked via subprocess. No version pinning, no integrity check. The security posture of this skill is inherited.

Security Positives

✓ SKILL.md explicitly declares the XG_BIZ_API_KEY environment variable dependency

✓ No hardcoded credentials or API keys found in source code

✓ No obfuscation techniques (no base64, no eval, no atob patterns)

✓ No direct IP network requests or C2-style communication

✓ subprocess calls include timeout=60 and error handling

✓ State file writes use atomic replace (tmp + replace pattern)

✓ No access to ~/.ssh, ~/.aws, or other credential paths

✓ No cron/scheduled task self-installation

✓ No data exfiltration — all data stays local to ~/.openclaw

Scan Report

Findings 5 items

File Tree

Dependencies 1 items

Security Positives