中文 EN
Start Review
Skill Trust Decision

solo-mission

纯文档技能包,仅包含 Markdown 文件无可执行脚本。但文档中存在危险的 `curl | bash` 远程脚本执行模式,且外部 API 域名 (mission.projectsolo.xyz) 未在安全上下文中验证, Credential 持久化方式 (包括落盘到 .env) 存在风险。

Install decision first Source: ClawHub Scanned: 6 hr ago
Files 5
Artifacts 20
Violations 3
Findings 5
Most direct threat evidence
01
通过 curl | bash 远程执行脚本安装 Foundry Escalation · references/wallet-setup.md
02
API Key 写入 .env 文件明文落盘 Escalation · SKILL.md
03
所有 agent 操作(任务创建、资金管理)流向 mission.projectsolo.xyz 外部 API Impact · SKILL.md

Why this conclusion was reached

3/4 dimensions flagged
Block
Declared vs actual capability

3 undeclared or violating capabilities were inferred.

Block
Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block
Attack chain and severe findings

The report includes 3 attack-chain steps and 1 severe findings.

Review
Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

Attack Chain

01
通过 curl | bash 远程执行脚本安装 Foundry

Escalation · references/wallet-setup.md:29

02
API Key 写入 .env 文件明文落盘

Escalation · SKILL.md:119

03
所有 agent 操作(任务创建、资金管理)流向 mission.projectsolo.xyz 外部 API

Impact · SKILL.md:47

What drove the risk score up

危险 shell 命令模式 +15

wallet-setup.md:29 包含 `curl -L https://foundry.paradigm.xyz | bash`,文档化为安装指令但仍属高危模式

外部域名未验证 +10

所有 API 调用指向 mission.projectsolo.xyz,无法确认域名合法性,potential C2

Credential 持久化落盘 +5

SKILL.md:109-113 包含写入 .env 文件的 fallback 选项,API Key 可能以明文存储于磁盘

纯文档无可执行代码 +-5

整个 skill 无任何脚本文件,降低实际执行风险;仅描述 shell 命令供 AI agent 解释执行

Most important evidence

High Supply Chain

危险的远程脚本执行模式

wallet-setup.md:29 包含 `curl -L https://foundry.paradigm.xyz | bash`,将下载内容直接 pipe 到 bash 执行。这是经典的供应链攻击向量。即使这是安装 Foundry 的合法指令,也存在中间人攻击和恶意注入风险。

references/wallet-setup.md:29
改为预下载校验或使用包管理器(brew/apt)安装 Foundry
Medium Credential Theft

API Key 明文持久化到磁盘

SKILL.md:109-122 的 Fallback 选项将 SOLO_AGENT_KEY 写入 `.env` 文件明文存储。若 server 被攻破,API Key 可被直接读取用于冒充 agent。

SKILL.md:119
移除 .env fallback,仅支持 workspace-scoped 安全存储(.claude/settings.local.json 或 openclaw env)
Medium Data Exfil

外部 API 域名真实性未验证

所有 agent 操作均指向 mission.projectsolo.xyz 域名(12 处外部 URL 引用),包括注册、任务创建、资金转移等敏感操作。该域名无法在当前分析上下文中验证合法性,存在潜在的 C2 或数据外泄风险。

SKILL.md:47
在部署前验证域名所有权和 SSL 证书;考虑添加域名白名单或 pinning
Medium Doc Mismatch

权限声明缺失

SKILL.md metadata 中未声明 allowed-tools,但代码中隐式需要 shell:WRITE 和 network:READ 能力。根据 8 资源模型,未声明权限视为 NONE,实际执行时会越权。

SKILL.md:1
在 metadata 中显式声明 allowed-tools: { Bash, Read, Write } 等
Low Credential Theft

私钥环境变量引用

SKILL.md 和引用文件中多次使用 $PRIVATE_KEY 环境变量名进行 on-chain 交易。虽然文档有安全警告,但如果 agent 环境存在其他同名变量或日志泄露,可能造成私钥外泄。

references/onchain.md:21
使用更具体的变量名如 $SOLO_SPONSOR_PRIVATE_KEY 以减少冲突风险

Declared capability vs actual capability

Shell Block
Declared NONE
Inferred WRITE
SKILL.md 全篇描述 `curl`、`cast send`、`openssl enc` 等 shell 命令,文档隐式声明 shell 执行能力但 SKILL.md 未声明 allowed-tools
Network Block
Declared NONE
Inferred READ
SKILL.md 多次调用 api.mission.projectsolo.xyz API,未声明 network 权限
Filesystem Block
Declared NONE
Inferred WRITE
SKILL.md:109-122 持久化 API Key 到 .claude/settings.local.json 或 .env 文件,涉及文件写入

Suspicious artifacts and egress

Critical Dangerous Command
curl -L https://foundry.paradigm.xyz | bash

references/wallet-setup.md:29

Medium External URL
https://api.mission.projectsolo.xyz

SKILL.md:47

Medium External URL
https://api.mission.projectsolo.xyz/agent/missions?limit=100&page=$PAGE

SKILL.md:75

Medium External URL
https://api.mission.projectsolo.xyz/agent/register

SKILL.md:98

Medium External URL
https://sepolia.base.org

SKILL.md:206

Medium External URL
https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/confirm-funding

SKILL.md:232

Medium External URL
https://mission.projectsolo.xyz/missions/

SKILL.md:248

Medium External URL
https://api.mission.projectsolo.xyz/agent/missions

SKILL.md:415

Medium External URL
https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/tracks/upload-url

SKILL.md:468

Medium External URL
https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/tracks/$TRACK_ID/confirm

SKILL.md:480

Medium External URL
https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID

SKILL.md:529

Medium External URL
https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/tracks

SKILL.md:540

Dependencies and supply chain

There are no structured dependency warnings.

File composition

5 files · 1452 lines
Markdown 5 files · 1452 lines
Files of concern · 4
SKILL.md Markdown · 649 lines
API Key 明文持久化到磁盘 · 外部 API 域名真实性未验证 · 权限声明缺失 · https://api.mission.projectsolo.xyz · https://api.mission.projectsolo.xyz/agent/missions?limit=100&page=$PAGE · https://api.mission.projectsolo.xyz/agent/register · https://sepolia.base.org · https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/confirm-funding · https://mission.projectsolo.xyz/missions/ · https://api.mission.projectsolo.xyz/agent/missions · https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/tracks/upload-url · https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/tracks/$TRACK_ID/confirm · https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID · https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/tracks · https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/finalize-qualification · https://api.mission.projectsolo.xyz/agent/missions/$MISSION_ID/settle
references/rest-api.md Markdown · 299 lines
https://mission.projectsolo.xyz/missions/$MISSION_ID\
references/onchain.md Markdown · 228 lines
私钥环境变量引用 · 0x6537Dcb39517A30e13C246560E7F58Bb7C2Fc2b2 · 0x036CbD53842c5426634e7929541eC2318f3dCF7e
references/wallet-setup.md Markdown · 146 lines
危险的远程脚本执行模式 · curl -L https://foundry.paradigm.xyz | bash · https://foundry.paradigm.xyz · https://docs.base.org/docs/tools/network-faucets · https://faucet.circle.com
Other files · stuck-recovery.md

Security positives

纯文档技能包,无可执行脚本,实际攻击面有限
文档中有明确的私钥安全警告(NEVER share, MANDATORY)
推荐使用 OpenSSL 加密或云 KMS 存储私钥而非明文
Agent 注册 API Key 由服务端返回,非用户提供,降低注入风险
on-chain 交易使用一次性 nonce 机制防止重放攻击
媒体评审任务的轨道上传有严格的顺序约束(先上传再邀请)
会话启动时扫描 stuck missions 的设计有助于资金回收