安全决策报告
product-demo-video
Skill contains a catastrophic `rm -rf /` command in install-deps.sh:23 with no declared shell permissions, plus undeclared shell execution and dynamically generated Python code in record-demo.mjs.
最直接的威胁证据
严重 代码执行
Destructive `rm -rf` glob command in install script Line 23 of install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static`. The glob pattern `ffmpeg-*-amd64-static` could expand to /tmp/ itself or a broader path if the tarball extracts unexpectedly (e.g., flat files or to a parent directory). In a root container or misconfigured environment, this could wipe data beyond /tmp/. The intended use of a bare `rm -rf` with glob patterns near system directories is a severe operational hazard.
scripts/install-deps.sh:23 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 5 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 3 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
Skill invoked with Bash:WRITE capability, allowing shell command execution
权限提升 · SKILL.md
02
install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` — glob expansion could resolve to /tmp/ or broader paths if archive structure is unexpected
权限提升 · scripts/install-deps.sh:23
03
If run as root (e.g., in a Docker container), `rm -rf /tmp/` or broader path wipe could cause data loss across the system
最终危害 · scripts/install-deps.sh:23
风险分是怎么被拉高的
Destructive shell command +35
install-deps.sh:23 contains `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` — glob `*` could expand to /tmp/ or beyond if the tarball doesn't extract as expected, potentially wiping /tmp/ or more
Undeclared shell execution +20
SKILL.md declares no permissions but record-demo.mjs uses execSync to run edge-tts, ffmpeg, ffprobe, and python3 as undeclared shell commands
Dynamic code generation and execution +10
record-demo.mjs generates a Python script as a string (lines 215-290) and executes it via execSync, a form of dynamic code generation not declared in SKILL.md
No declared capability permissions +5
SKILL.md frontmatter declares no allowed-tools or resources, yet the skill requires shell:WRITE, filesystem:WRITE, and network:READ
最关键的证据
严重 代码执行
Destructive `rm -rf` glob command in install script
Line 23 of install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static`. The glob pattern `ffmpeg-*-amd64-static` could expand to /tmp/ itself or a broader path if the tarball extracts unexpectedly (e.g., flat files or to a parent directory). In a root container or misconfigured environment, this could wipe data beyond /tmp/. The intended use of a bare `rm -rf` with glob patterns near system directories is a severe operational hazard.
scripts/install-deps.sh:23 Replace with explicit directory removal: use `rm -rf "${tmpdir}"` after saving the extracted directory path to a variable, or use a trap/cleanup function. Never use bare globs with rm -rf near /tmp.
高危 文档欺骗
Undeclared shell execution capability
SKILL.md declares zero permissions in its frontmatter, yet record-demo.mjs uses execSync to run 5+ shell commands (edge-tts, ffmpeg x3, ffprobe, python3). This is a direct doc-to-code mismatch. The skill does not declare shell:WRITE, filesystem:WRITE, or network:READ in allowed-tools.
scripts/record-demo.mjs:141 Declare all shell commands in SKILL.md frontmatter using allowed-tools mapping: Bash→shell:WRITE, Read→filesystem:READ, Write→filesystem:WRITE. Document why each tool is needed.
高危 代码执行
Dynamically generated Python script executed at runtime
record-demo.mjs builds a Python script as a string (generateOverlayScript, ~75 lines) containing scene configuration data and PIL image processing code, writes it to /tmp, and executes it via execSync. This dynamic code generation from configuration data is undeclared functionality.
scripts/record-demo.mjs:148 Either pre-write the overlay script and call it with scene data as arguments, or rewrite the overlay logic in Node.js using the canvas package. Document this behavior in SKILL.md.
中危 供应链
Unpinned pip dependencies
install-deps.sh installs edge-tts and Pillow without version constraints. Pip defaults to the latest version, which could introduce breaking changes or malicious updates.
scripts/install-deps.sh:8 Pin versions: pip3 install edge-tts==6.1.0 (or current stable) Pillow==10.x.x. Add a requirements.txt for reproducibility.
中危 供应链
Remote script download over plain HTTP
install-deps.sh downloads FFmpeg via curl from johnvansickle.com over HTTPS. The site may serve over plain HTTP, and the downloaded binary is copied directly to /usr/local/bin without integrity verification (no sha256 checksum).
scripts/install-deps.sh:19 Verify the downloaded binary with a published SHA256 hash before extraction. Consider using package managers (apt, dnf) for FFmpeg installation instead.
低危 权限提升
FFmpeg and ffprobe installed to /usr/local/bin
The install script copies extracted binaries to /usr/local/bin, which requires write access to system directories. If run as a non-root user, it will fail; if run as root, it modifies system state.
scripts/install-deps.sh:21 Install to user-local bin (~/bin) or use the system's package manager. Document the privilege requirements.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
record-demo.mjs:141 execSync(`edge-tts ...`) 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/install-deps.sh:23 rm -rf glob command 文件系统 阻止
声明 NONE
→ 推断 WRITE
record-demo.mjs:148 fs.writeFileSync(`${workDir}/overlay.py`, pyScript) 网络访问 阻止
声明 NONE
→ 推断 READ
install-deps.sh:19 curl downloads FFmpeg from johnvansickle.com 网络访问 阻止
声明 NONE
→ 推断 READ
record-demo.mjs:89 page.goto(s.url) — navigates to arbitrary URLs 可疑产物与外联
严重 危险命令
rm -rf / scripts/install-deps.sh:23
中危 外部 URL
https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz scripts/install-deps.sh:19
中危 外部 URL
https://yourapp.dev/ scripts/record-demo.mjs:56
中危 外部 URL
https://yourapp.dev/feature1/ scripts/record-demo.mjs:67
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| puppeteer | not pinned | npm i -g puppeteer | 否 | Installed globally without version constraint |
| edge-tts | not pinned | pip3 install edge-tts | 否 | No version constraint in install command |
| Pillow | not pinned | pip3 install Pillow | 否 | No version constraint in install command |
文件构成
5 个文件 · 601 行
JavaScript 1 个文件 · 303 行Markdown 2 个文件 · 242 行Shell 1 个文件 · 50 行JSON 1 个文件 · 6 行
需关注文件 · 2
scripts/record-demo.mjs Undeclared shell execution capability · Dynamically generated Python script executed at runtime · https://yourapp.dev/ · https://yourapp.dev/feature1/
scripts/install-deps.sh Destructive `rm -rf` glob command in install script · Unpinned pip dependencies · Remote script download over plain HTTP · FFmpeg and ffprobe installed to /usr/local/bin · rm -rf / · https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz
其他文件 · SKILL.md · demo-planning.md · _meta.json
安全亮点
No credential theft: skill does not access ~/.ssh, ~/.aws, .env, or iterate environment variables for secrets
No data exfiltration: no HTTP POSTs of user data to external servers
No obfuscation: all code is readable plain text, no base64-encoded payloads or eval(atob(...)) patterns
No persistence mechanisms: no cron jobs, startup scripts, or backdoor installations
Legitimate purpose: the core functionality (video demo creation) matches documented behavior