安全决策报告

samantha

Name: samantha 可信度判断报告
Item: samantha
Rating: 60
Author: ClawSafe

The Samantha skill is an emotional AI companion with legitimate device-integration features, but contains undeclared shell execution, undocumented LAN ping sweeps, and plain-text credential storage — all absent from SKILL.md, creating a doc-to-code mismatch that warrants suspicion.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 48

IOC 13

越权项 1

发现 6

最直接的威胁证据

为什么得出这个结论

2/4 个维度触发

阻止

声明与实际能力

发现 1 项声明之外的能力或越权行为。

阻止

隐藏执行与外联

提取到 1 个高危 IOC 或外联信号。

通过

攻击链与高危发现

没有形成明确的恶意路径。

复核

依赖与供应链卫生

发现 4 项需要关注的依赖或供应链线索。

风险分是怎么被拉高的

Undeclared shell execution +15

scripts/discover_lan.py:19 uses subprocess.run(['ping', ...]) for LAN sweeps — shell:WRITE not declared in SKILL.md

Undocumented network probing +10

SSDP multicast (239.255.255.250) and ping sweeps of 192.168.31.x are in code but absent from SKILL.md

Plain-text credential storage +8

Xiaomi (mi_user/mi_pass) and Feishu (FEISHU_APP_ID/FEISHU_APP_SECRET) credentials stored in plain JSON with no encryption, not mentioned in docs

Unpinned critical dependencies +5

openclaw>=1.0.0 and miservice>=0.1.0 have no upper-bound pins; miservice handles auth credentials

Hardcoded Windows path +2

read_ppt.py:74 embeds a literal user desktop path from a one-time development run

最关键的证据

中危权限提升

Undeclared shell execution via subprocess ping sweep

scripts/discover_lan.py conditionally invokes subprocess.run(['ping', ...]) to sweep 192.168.31.x when SSDP discovery fails. This shell:WRITE capability is not declared anywhere in SKILL.md.

scripts/discover_lan.py:19

Declare shell access in SKILL.md allowed-tools section, or refactor to use a pure-Python ICMP library.

中危文档欺骗

LAN device discovery and network probing undocumented

The skill performs SSDP multicast discovery (239.255.255.250:1900) and falls back to ping sweeps of 192.168.31.x. SKILL.md does not mention any network probing capabilities. The xiaoai-speaker SKILL.md documents the miservice integration but not the local network scan.

scripts/discover_lan.py:6

Document network:READ/WRITE capabilities in SKILL.md with explicit scope (LAN only, Xiaomi device discovery).

中危凭证窃取

Plain-text credential storage for Xiaomi and Feishu

Xiaomi account credentials (mi_user, mi_pass) and Feishu app credentials (FEISHU_APP_ID, FEISHU_APP_SECRET) are stored in plain-text JSON files (data/xiaoai_config.json) and/or .env files. No encryption, no keyring integration. SKILL.md documents the config format but not the security implications.

skills/xiaoai-speaker/scripts/tts_bridge.py:30

Document that credentials are stored in plain text; recommend using OS keyring or secrets manager instead.

中危供应链

Critical auth dependency miservice has no version cap

requirements.txt pins miservice>=0.1.0 with no upper bound. miservice handles Xiaomi account authentication (username/password). An unconstrained dependency handling credentials poses supply-chain risk.

requirements.txt:15

Pin miservice to a known-good version (e.g., miservice==0.1.x) and verify the package source.

低危供应链

openclaw framework dependency unpinned

requirements.txt specifies openclaw>=1.0.0 with no upper bound. This is the core framework; an unbounded dependency could pull a breaking or malicious update.

requirements.txt:1

Pin openclaw to a specific version range (e.g., openclaw>=1.0.0,<2.0.0).

低危敏感访问

Hardcoded Windows user path in read_ppt.py

read_ppt.py contains a literal hardcoded path 'D:\xuyan\桌面\Samantha\邓小闲koki-寻找Samantha.pptx'. This is a one-time development artifact but leaks a real username and desktop location into the codebase.

read_ppt.py:74

Remove or replace with a command-line argument or environment variable.

声明能力 vs 实际能力

文件系统 通过

声明 NONE

→

推断 WRITE

scripts/memory.py:40 — sqlite3.connect() + write; scripts/personality.py:53 — json.dump() to disk

命令执行 阻止

声明 NONE

→

推断 WRITE

scripts/discover_lan.py:19 — subprocess.run(['ping', '-n', '1', '-w', '200', ip])

网络访问 通过

声明 NONE

→

推断 WRITE

scripts/discover_lan.py:6 — UDP sendto SSDP multicast; skills/xiaoai-speaker/scripts/tts_bridge.py — Xiaomi API calls

环境变量 通过

声明 NONE

→

推断 READ

skills/xiaoai-speaker/scripts/tts_bridge.py:30 — os.getenv() reads MI_USER, MI_PASS; scripts/deploy.sh:49 — pip install reads env

数据库 通过

声明 NONE

→

推断 WRITE

scripts/memory.py:56-96 — CREATE TABLE + INSERT into relationship.db via sqlite3

可疑产物与外联

高危 IP 地址

239.255.255.250

scripts/discover_lan.py:6

中危外部 URL

https://docs.openclaw.ai

CONTRIBUTING.md:127

中危外部 URL

https://www.sqlite.org/docs.html

CONTRIBUTING.md:129

中危外部 URL

https://discord.com/invite/clawd

CONTRIBUTING.md:139

中危外部 URL

https://twitter.com/charlie88931442

CONTRIBUTING.md:171

中危外部 URL

https://img.youtube.com/vi/xeqP4j0-cfc/0.jpg

README.md:5

中危外部 URL

https://youtube.com/shorts/xeqP4j0-cfc?si=H4sY9CP5JTBLD06h

README.md:5

中危外部 URL

https://api.minimaxi.com/v1/t2a_v2

mm-voice-maker/scripts/mm_tts.py:26

中危外部 URL

http://schemas.openxmlformats.org/presentationml/2006/main

read_ppt.py:25

中危外部 URL

https://open.feishu.cn/open-apis

skills/mbti-coach/scripts/feishu_calendar.sh:12

中危外部 URL

https://your-openclaw-gateway/webhook/shortcut

skills/shortcuts-awareness/SKILL.md:101

提示邮箱

[email protected]

CONTRIBUTING.md:170

依赖与供应链

包名	版本	来源	漏洞	备注
miservice	`>=0.1.0`	pip	否	Handles Xiaomi auth credentials but has no upper-version cap
openclaw	`>=1.0.0`	pip	否	Core framework, unpinned with no upper bound
torch	`>=2.0.0`	pip	否	Unpinned — large ML dependency with broad attack surface
transformers	`>=4.35.0`	pip	否	Unpinned — HuggingFace package, broad supply-chain surface
requests	`>=2.31.0`	pip	否	Version pinned, well-maintained

文件构成

48 个文件 · 9892 行

Markdown 21 个文件 · 6386 行Python 20 个文件 · 2743 行Shell 2 个文件 · 482 行Text 4 个文件 · 161 行YAML 1 个文件 · 120 行

需关注文件 · 1

README.md Markdown · 732 行

https://img.youtube.com/vi/xeqP4j0-cfc/0.jpg · https://youtube.com/shorts/xeqP4j0-cfc?si=H4sY9CP5JTBLD06h

其他文件 · smartwatch_integration.md · SKILL.md · SKILL.md · technical_limitations.md · architecture.md · README_merged.md +5

48 文件 · 309.1 KB · 9892 行

Markdown 21f · 6386LPython 20f · 2743LShell 2f · 482LText 4f · 161LYAML 1f · 120L

├─ ▾ 📁 assets

│ └─ ▾ 📁 personality_seeds

│ └─ 📝 README.md Markdown 132L · 4.5 KB

├─ ▾ 📁 examples

│ └─ 🐍 basic_usage.py Python 167L · 5.6 KB

├─ ▾ 📁 mm-music-maker

│ └─ ▾ 📁 scripts

│ ├─ 🐍 generate_music.py Python 83L · 2.2 KB

│ ├─ 🐍 lobster_y2k.py Python 127L · 3.1 KB

│ ├─ 📄 lyrics_lobster.txt Text 56L · 983 B

│ ├─ 📄 lyrics_teachers.txt Text 62L · 1.1 KB

│ └─ 🐍 teachers_song.py Python 131L · 3.3 KB

├─ ▾ 📁 mm-voice-maker

│ └─ ▾ 📁 scripts

│ └─ 🐍 mm_tts.py Python 106L · 2.9 KB

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 397L · 10.9 KB

│ ├─ 📝 implementation_roadmap.md Markdown 397L · 9.2 KB

│ ├─ 📝 personality_implementation.md Markdown 162L · 5.1 KB

│ ├─ 📝 quick_implementation_guide.md Markdown 352L · 9.2 KB

│ ├─ 📝 smartwatch_integration.md Markdown 837L · 20.8 KB

│ └─ 📝 technical_limitations.md Markdown 482L · 12.9 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 deploy.sh Shell 291L · 6.7 KB

│ ├─ 🐍 discover_lan.py Python 46L · 1.2 KB

│ ├─ 🐍 emotional_intelligence.py Python 255L · 9.6 KB

│ ├─ 🐍 memory.py Python 337L · 10.7 KB

│ ├─ 🐍 personality.py Python 242L · 8.7 KB

│ ├─ 🐍 relationship_tracker.py Python 163L · 6.2 KB

│ ├─ 🐍 samantha.py Python 171L · 5.4 KB

│ ├─ 🐍 setup.py Python 81L · 1.8 KB

│ ├─ 🐍 test_emotion.py Python 26L · 832 B

│ └─ 🐍 test_xiaoai.py Python 60L · 1.5 KB

├─ ▾ 📁 skills

│ ├─ ▾ 📁 location-awareness

│ │ └─ 📝 SKILL.md Markdown 169L · 3.4 KB

│ ├─ ▾ 📁 mbti-coach

│ │ ├─ ▾ 📁 scripts

│ │ │ ├─ 🔧 feishu_calendar.sh Shell 191L · 6.3 KB

│ │ │ └─ 🐍 radar_chart.py Python 174L · 6.9 KB

│ │ ├─ 📝 README.md Markdown 172L · 5.7 KB

│ │ └─ 📝 SKILL.md Markdown 337L · 14.9 KB

│ ├─ ▾ 📁 mbti-fortune

│ │ └─ 📝 SKILL.md Markdown 135L · 5.1 KB

│ ├─ ▾ 📁 shortcuts-awareness

│ │ └─ 📝 SKILL.md Markdown 225L · 4.7 KB

│ ├─ ▾ 📁 smart-devices

│ │ └─ 📝 SKILL.md Markdown 203L · 4.4 KB

│ └─ ▾ 📁 xiaoai-speaker

│ ├─ ▾ 📁 scripts

│ │ ├─ 🐍 discover_devices.py Python 57L · 1.5 KB

│ │ ├─ 🐍 speak.py Python 88L · 2.4 KB

│ │ ├─ 🐍 tts_bridge.py Python 194L · 7.1 KB

│ │ └─ 🐍 voice_assistant.py Python 174L · 5.5 KB

│ └─ 📝 SKILL.md Markdown 168L · 3.5 KB

├─ 📝 CONTRIBUTING.md Markdown 179L · 5.2 KB

├─ 📝 PROJECT_STRUCTURE.md Markdown 260L · 6.7 KB

├─ 📝 QUICKSTART.md Markdown 222L · 5.3 KB

├─ 📝 README.md Markdown 732L · 35.1 KB

├─ 📝 README_merged.md Markdown 224L · 10.8 KB

├─ 📝 SKILL.md Markdown 360L · 14.3 KB

├─ 📝 VERSION.md Markdown 241L · 6.5 KB

├─ 📋 docker-compose.yml YAML 120L · 2.9 KB

├─ 📄 ppt_detailed.txt Text 1L · 3.1 KB

├─ 🐍 read_ppt.py Python 61L · 2.6 KB

└─ 📄 requirements.txt Text 42L · 625 B

安全亮点

No evidence of data exfiltration — all network calls are to legitimate third-party APIs (Xiaomi, Feishu, MiniMax) for declared features

No base64-encoded payloads, eval(), or anti-analysis obfuscation found

No hardcoded external IP addresses for data exfiltration

No prompt injection, jailbreak, or hidden instructions in documentation

No evidence of reverse shell, C2 communication, or credential harvesting beyond the legitimate Xiaomi/Feishu integrations

Core skill functionality (personality, memory, emotional intelligence, relationship tracking) is entirely local and benign