安全决策报告
skill-factory
The skill uses undeclared shell execution, hardcoded suspicious paths, and remote npx code fetching without version pinning or integrity checks, with a doc-to-code mismatch on permissions.
最直接的威胁证据
01
Skill masquerades as a legitimate OpenClaw tooling via SKILL.md 初始入口 · SKILL.md
02
Executes shell commands through undeclared execSync calls 权限提升 · scripts/factory.js
03
Runs remote npm package via npx @latest without pinning — fetches arbitrary code from the internet supply_chain · scripts/factory.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
攻击链
01
Skill masquerades as a legitimate OpenClaw tooling via SKILL.md
初始入口 · SKILL.md:1
02
Executes shell commands through undeclared execSync calls
权限提升 · scripts/factory.js:161
03
Runs remote npm package via npx @latest without pinning — fetches arbitrary code from the internet
supply_chain · scripts/factory.js:170
04
References suspicious hardcoded path /opt/homebrew/lib/node_modules/... suggesting platform-specific targeting
权限提升 · scripts/factory.js:163
05
User-controlled slug input could be exploited for path traversal to write outside skills/public/
权限提升 · scripts/factory.js:53
风险分是怎么被拉高的
Undeclared shell execution via execSync +20
SKILL.md does not declare subprocess/child_process usage
Remote script fetch via npx @latest +15
npx clawhub@latest fetches and executes unversioned remote code without integrity check
Hardcoded suspicious path +15
References /opt/homebrew/lib/node_modules/.../package_skill.py — a planted or platform-specific path not declared anywhere
Doc-to-code capability mismatch +10
Inferred filesystem:WRITE and network:READ not reflected in SKILL.md documentation
Workspace-based file write escalation +8
Skill writes to skills/public/<slug>/ with user-controlled slug from arbitrary description input
最关键的证据
高危 代码执行
Undeclared shell command execution via execSync
The script uses child_process.execSync to run arbitrary shell commands (python3 and npx) without declaring shell execution capability in SKILL.md. This is the highest-value doc-to-code mismatch signal.
scripts/factory.js:161 Declare shell:WRITE in the skill's allowed-tools. If shell execution is not a core feature, refactor to use Node.js stdlib only (e.g., fs for packaging).
高危 代码混淆
Suspicious hardcoded path referencing /opt/homebrew/
A hardcoded absolute path /opt/homebrew/lib/node_modules/openclaw/skills/skill-creator/scripts/package_skill.py is used. This path pattern (/opt/homebrew) suggests macOS Homebrew targeting and is not declared in SKILL.md. It could be a planted backdoor path or a platform-specific dependency that may not exist.
scripts/factory.js:163 Replace hardcoded path with a configurable one or use a stdlib-only approach. If this is a legitimate dependency, declare it in a requirements/package.json.
高危 供应链
Remote code execution via npx @latest without version pinning
The publish function runs 'npx clawhub@latest publish' which fetches and executes remote npm code without a pinned version or hash verification. This is equivalent to curl|bash for the npm ecosystem — a critical supply chain risk.
scripts/factory.js:170 Pin to a specific version (e.g., [email protected]) or verify the package integrity with a checksum. Document the expected clawhub CLI version.
中危 文档欺骗
SKILL.md does not declare any allowed-tools or capability permissions
The SKILL.md frontmatter is missing allowed-tools declarations. The code uses filesystem:WRITE, shell:WRITE, and network:READ+EXECUTE, but SKILL.md declares none of these. This is a clear doc-to-code mismatch.
SKILL.md:1 Add allowed-tools declaration to frontmatter listing Read and Bash (or equivalent) with justification for why each is needed.
中危 敏感访问
Arbitrary slug creation from user input could lead to path traversal
The slugify() function converts a user-provided description into a directory name without sanitization for path traversal. While slugify removes non-alphanumeric chars, a crafted input like '../../../etc/cron.d' could write outside the intended skills/public/ directory.
scripts/factory.js:53 Validate the generated slug stays within the skills/public/ boundary. Add path traversal checks after slugification.
低危 供应链
No dependency pinning — zero stdlib-only constraint in package metadata
SKILL.md states the factory 'uses the LLM as the engine' but does not declare npm/node dependencies. The script uses only Node.js stdlib (fs, path, child_process), which is good, but no package.json or requirements.txt exists to lock the environment.
scripts/factory.js:1 Create a package.json pinning Node.js engine version. Ensure execSync calls reference only trusted, declared tools.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
scripts/factory.js:122 fs.mkdirSync(...); scripts/factory.js:130 fs.writeFileSync(...) 网络访问 阻止
声明 NONE
→ 推断 READ+EXECUTE
scripts/factory.js:170 execSync('npx clawhub@latest publish...'); scripts/factory.js:163 execSync('python3 /opt/homebrew/...') 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/factory.js:161 execSync('python3 ...'); scripts/factory.js:170 execSync('npx clawhub@latest ...') 环境变量 阻止
声明 NONE
→ 推断 READ
scripts/factory.js:14 process.env.WORKSPACE; scripts/factory.js:15 process.env.CLAWHUB_TOKEN implied by npx login 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| npx (clawhub@latest) | * (unpinned) | npm remote | 否 | Remote code execution — no version pinning, no hash verification |
| python3 skill-creator | unpinned | /opt/homebrew/lib/node_modules/openclaw/... | 否 | Hardcoded path, not declared, platform-specific |
文件构成
2 个文件 · 380 行
JavaScript 1 个文件 · 274 行Markdown 1 个文件 · 106 行
需关注文件 · 2
scripts/factory.js Undeclared shell command execution via execSync · Suspicious hardcoded path referencing /opt/homebrew/ · Remote code execution via npx @latest without version pinning · Arbitrary slug creation from user input could lead to path traversal · No dependency pinning — zero stdlib-only constraint in package metadata
SKILL.md SKILL.md does not declare any allowed-tools or capability permissions
安全亮点
No base64-encoded strings or obfuscated code found in the implementation
No credential harvesting or environment variable exfiltration detected
No hardcoded IP addresses or external C2 communication endpoints found
No cron/persistence mechanisms or startup hooks detected
Script uses Node.js stdlib for core logic (fs, path) — no external npm dependencies needed for scaffolding