cms-meeting-monitor 安全扫描报告 — 可疑 | ClawSafe

32 /100

cms-meeting-monitor

从 CMS AI慧记拉取会议内容，支持字幕模式和静默模式两种监控方式

Cross-skill subprocess invocation via undeclared `subprocess.run` calls is the primary concern—neither the SKILL.md nor the tool declarations (monitor:read, notifier:write) accurately reflect the exec/shell:WRITE nature of the code.

技能名称cms-meeting-monitor

分析耗时55.3s

引擎pi

⚠

谨慎使用

1) Add explicit `subprocess` or `shell:WRITE` declaration in SKILL.md if cross-skill triggers are intentional; 2) Reclassify tool categories from 'exec' to reflect actual capability footprint; 3) Audit the cms-meeting-materials dependency before production use; 4) Pin `cms-meeting-materials` skill version to avoid supply-chain drift.

安全发现 5 项

严重性	安全发现	位置
高危	Undeclared cross-skill subprocess execution 文档欺骗 monitor.py:trigger_pull() uses subprocess.run to invoke cms-meeting-materials/scripts/huiji/trigger-pull.py. This is a shell:WRITE capability that is not declared in SKILL.md. The tool 'monitor' declares permission:read but the code actually executes an external script. `result = subprocess.run([sys.executable, str(script_dir), meeting_chat_id], capture_output=True, text=True, timeout=60)` → Add subprocess or shell:WRITE to the tool's declared permission in SKILL.md. If cross-skill triggers are intentional, document the cms-meeting-materials dependency explicitly.	`scripts/monitor.py:170`
高危	Notifier also performs undeclared subprocess execution 文档欺骗 notifier.py:get_latest_fragments() imports subprocess and calls scripts from cms-meeting-materials. SKILL.md declares notifier permission:write, but the code performs read + exec operations. `import subprocess / script_dir = Path(...).parent / 'cms-meeting-materials' / 'scripts' / 'huiji'` → Align notifier's declared permission with actual behavior (exec or read+exec).	`scripts/notifier.py:48`
中危	Tool permission declarations do not match code capabilities 权限提升 monitor tool: category=exec, risk_level=medium, permission=read — but the code executes subprocess, which is exec-level. notifier tool: permission=write — but also executes subprocess. `- name: monitor / category: exec / permission: read` → Update SKILL.md to reflect the actual permission levels (at minimum exec:WRITE) and list the cross-skill dependency.	`SKILL.md:21`
中危	Undeclared hard-coded dependency on cms-meeting-materials skill 供应链 Both monitor.py and notifier.py hard-code paths to cms-meeting-materials/scripts/huiji/. If that dependency is absent or compromised, the skill fails or is exploited. No version pinning or integrity check. `script_dir = Path(__file__).resolve().parent.parent.parent / 'cms-meeting-materials' / 'scripts' / 'huiji' / 'trigger-pull.py'` → Document the cms-meeting-materials dependency in SKILL.md. Consider adding a manifest or checksum for the dependency script.	`scripts/monitor.py:165`
低危	Accesses environment variables for credentials 敏感访问 The skill reads XG_BIZ_API_KEY from os.environ. This is declared in SKILL.md metadata and is necessary for the feature, but the code does not validate or sanitize this variable. `explicit = os.environ.get('CMS_MEETING_MONITOR_ROOT') / gateway = os.environ.get('OPENCLAW_GATEWAY', 'default')` → Document what environment variables are accessed. Add input validation for meeting_chat_id to prevent path injection through this variable.	`scripts/monitor.py:40`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/monitor.py:170 — subprocess.run to trigger-pull.py
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/notifier.py:48 — subprocess to huiji scripts
文件系统	`NONE`	`WRITE`	✗ 越权	scripts/monitor.py:115 — state write to ~/.openclaw/
技能调用	`NONE`	`WRITE`	✗ 越权	monitor.py:170 & notifier.py:48 — cross-skill subprocess to cms-meeting-material…

目录结构

7 文件 · 24.9 KB · 767 行

Python 2f · 582L Markdown 4f · 183L Text 1f · 2L

├─ ▾ 📁 design

│ ├─ 📝 DESIGN.md Markdown 32L · 1.2 KB

│ ├─ 📝 DISCUSSION-LOG.md Markdown 18L · 1.0 KB

│ └─ 📝 LEARNING-LOOP.md Markdown 18L · 521 B

├─ ▾ 📁 scripts

│ ├─ 🐍 monitor.py Python 405L · 13.3 KB

│ └─ 🐍 notifier.py Python 177L · 5.9 KB

├─ 📄 requirements.txt Text 2L · 100 B

└─ 📝 SKILL.md Markdown 115L · 3.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`cms-meeting-materials`	`unpinned`	cross-skill dependency	否	External skill dependency; scripts/huiji/trigger-pull.py is invoked via subprocess. No version pinning, no integrity check. The security posture of this skill is inherited.

安全亮点

✓ SKILL.md explicitly declares the XG_BIZ_API_KEY environment variable dependency

✓ No hardcoded credentials or API keys found in source code

✓ No obfuscation techniques (no base64, no eval, no atob patterns)

✓ No direct IP network requests or C2-style communication

✓ subprocess calls include timeout=60 and error handling

✓ State file writes use atomic replace (tmp + replace pattern)

✓ No access to ~/.ssh, ~/.aws, or other credential paths

✓ No cron/scheduled task self-installation

✓ No data exfiltration — all data stays local to ~/.openclaw