安全决策报告
cms-meeting-monitor
Cross-skill subprocess invocation via undeclared `subprocess.run` calls is the primary concern—neither the SKILL.md nor the tool declarations (monitor:read, notifier:write) accurately reflect the exec/shell:WRITE nature of the code.
最直接的威胁证据
高危 文档欺骗
Undeclared cross-skill subprocess execution monitor.py:trigger_pull() uses subprocess.run to invoke cms-meeting-materials/scripts/huiji/trigger-pull.py. This is a shell:WRITE capability that is not declared in SKILL.md. The tool 'monitor' declares permission:read but the code actually executes an external script.
scripts/monitor.py:170 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Cross-skill subprocess execution undeclared in docs +20
monitor.py:trigger_pull() and notifier.py both call subprocess.run on external scripts without documentation in SKILL.md. tool permission:read ≠ exec/category
Capability violation — declared vs inferred +8
monitor tool declares permission:read but code executes external scripts (shell:WRITE). notifier declares permission:write but also invokes subprocess.
Undeclared dependency on cms-meeting-materials skill +4
Both scripts hard-code a path to cms-meeting-materials/scripts/huiji/trigger-pull.py. If that skill is malicious or compromised, this skill inherits the risk.
最关键的证据
高危 文档欺骗
Undeclared cross-skill subprocess execution
monitor.py:trigger_pull() uses subprocess.run to invoke cms-meeting-materials/scripts/huiji/trigger-pull.py. This is a shell:WRITE capability that is not declared in SKILL.md. The tool 'monitor' declares permission:read but the code actually executes an external script.
scripts/monitor.py:170 Add subprocess or shell:WRITE to the tool's declared permission in SKILL.md. If cross-skill triggers are intentional, document the cms-meeting-materials dependency explicitly.
高危 文档欺骗
Notifier also performs undeclared subprocess execution
notifier.py:get_latest_fragments() imports subprocess and calls scripts from cms-meeting-materials. SKILL.md declares notifier permission:write, but the code performs read + exec operations.
scripts/notifier.py:48 Align notifier's declared permission with actual behavior (exec or read+exec).
中危 权限提升
Tool permission declarations do not match code capabilities
monitor tool: category=exec, risk_level=medium, permission=read — but the code executes subprocess, which is exec-level. notifier tool: permission=write — but also executes subprocess.
SKILL.md:21 Update SKILL.md to reflect the actual permission levels (at minimum exec:WRITE) and list the cross-skill dependency.
中危 供应链
Undeclared hard-coded dependency on cms-meeting-materials skill
Both monitor.py and notifier.py hard-code paths to cms-meeting-materials/scripts/huiji/. If that dependency is absent or compromised, the skill fails or is exploited. No version pinning or integrity check.
scripts/monitor.py:165 Document the cms-meeting-materials dependency in SKILL.md. Consider adding a manifest or checksum for the dependency script.
低危 敏感访问
Accesses environment variables for credentials
The skill reads XG_BIZ_API_KEY from os.environ. This is declared in SKILL.md metadata and is necessary for the feature, but the code does not validate or sanitize this variable.
scripts/monitor.py:40 Document what environment variables are accessed. Add input validation for meeting_chat_id to prevent path injection through this variable.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/monitor.py:170 — subprocess.run to trigger-pull.py 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/notifier.py:48 — subprocess to huiji scripts 文件系统 阻止
声明 NONE
→ 推断 WRITE
scripts/monitor.py:115 — state write to ~/.openclaw/ 技能调用 阻止
声明 NONE
→ 推断 WRITE
monitor.py:170 & notifier.py:48 — cross-skill subprocess to cms-meeting-materials 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| cms-meeting-materials | unpinned | cross-skill dependency | 否 | External skill dependency; scripts/huiji/trigger-pull.py is invoked via subprocess. No version pinning, no integrity check. The security posture of this skill is inherited. |
文件构成
7 个文件 · 767 行
Python 2 个文件 · 582 行Markdown 4 个文件 · 183 行Text 1 个文件 · 2 行
需关注文件 · 3
scripts/monitor.py Undeclared cross-skill subprocess execution · Undeclared hard-coded dependency on cms-meeting-materials skill · Accesses environment variables for credentials
scripts/notifier.py Notifier also performs undeclared subprocess execution
SKILL.md Tool permission declarations do not match code capabilities
其他文件 · DESIGN.md · DISCUSSION-LOG.md · LEARNING-LOOP.md · requirements.txt
安全亮点
SKILL.md explicitly declares the XG_BIZ_API_KEY environment variable dependency
No hardcoded credentials or API keys found in source code
No obfuscation techniques (no base64, no eval, no atob patterns)
No direct IP network requests or C2-style communication
subprocess calls include timeout=60 and error handling
State file writes use atomic replace (tmp + replace pattern)
No access to ~/.ssh, ~/.aws, or other credential paths
No cron/scheduled task self-installation
No data exfiltration — all data stays local to ~/.openclaw