中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
amber-hunter
Universal AI memory backend for Huper琥珀 — local E2E encrypted memory capture and recall with optional cloud sync
A legitimate, well-documented local AI memory backend with strong E2E encryption. Minor documented fallbacks for headless Linux do not constitute hidden malicious behavior.
Skill Nameamber-hunter
Duration87.9s
Enginepi
Safe to install
Consider pinning dependency versions in requirements.txt. For headless Linux, warn users about the config.json plaintext fallback for master_password. Otherwise safe to use.

Findings 5 items

Severity Finding Location
Medium
Unpinned Python dependencies
All packages in requirements.txt use >= version specifiers without upper bounds. This allows dependency confusion attacks and supply chain injection via package updates.
sentence-transformers>=2.2.0
numpy>=1.24.0
→ Pin exact versions: sentence-transformers==2.7.0, numpy==1.26.4, etc.
 requirements.txt:1
Low
Linux headless stores master_password in plaintext
On headless Linux (VPS), master_password falls back to config.json in plaintext. While documented, this means the encryption key is stored unencrypted on disk.
_linux_config_set(account, password)
→ Warn users explicitly at install time; consider requiring user acknowledgment
 core/keychain.py:164
Low
master_password also written to config.json as fallback on all platforms
set_master_password_handler writes master_password to config.json even when OS keychain succeeds on macOS/Windows. The Keychain is primary but config.json serves as an unnecessary backup copy.
cfg['master_password'] = password_in.password
→ Only write to config.json when OS keychain fails, not as a parallel backup
 amber_hunter.py:2063
Info
Reads API keys from OpenClaw config
core/llm.py auto-detects LLM API keys from ~/.openclaw/openclaw.json. This reads third-party credentials to auto-configure providers.
providers = openclaw_config.get('models', {}).get('providers', {})
→ This is documented and intentional — the skill needs LLM keys to power its AI features
 core/llm.py:524
Info
Session file access for proactive capture
core/session.py and proactive scripts read OpenClaw/Claude session .jsonl files to build conversation context. This is declared in SKILL.md as the core proactive capture feature.
read_session_messages() reads .jsonl session files
→ No action needed — this is the stated purpose of the skill
 core/session.py:60
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md allowed-tools maps Read→filesystem:READ; code reads ~/.amber-hunter/, ~…
Shell WRITE WRITE ✓ Aligned install.sh/freeze.sh are shell scripts; LLM providers use subprocess.run with cu…
Network READ READ ✓ Aligned SKILL.md declares huper.org cloud sync; core/llm.py makes API calls to minimaxi.…
Database READ WRITE ✓ Aligned SKILL.md: Memory write via /ingest is a core capability; code writes to SQLite a…
Environment NONE READ ✓ Aligned core/llm.py:361 reads MINIMAX_API_KEY env var; core/keychain.py:115 reads AMBER_…
8 findings
🔗
Medium External URL 外部 URL
https://huper.org
CHANGELOG.md:275
🔗
Medium External URL 外部 URL
https://huper.org/dashboard
README.md:33
🔗
Medium External URL 外部 URL
https://huper.org/api
README.md:43
🔗
Medium External URL 外部 URL
https://huper.org/api/ingest
SKILL.md:68
🔗
Medium External URL 外部 URL
http://127.0.0.1:18998
amber_hunter.py:619
🔗
Medium External URL 外部 URL
https://api.minimaxi.com/anthropic/v1/messages
core/llm.py:130
🔗
Medium External URL 外部 URL
https://api.groq.com/openai/v1/chat/completions
core/llm.py:624
🔗
Medium External URL 外部 URL
https://api.minimaxi.com/anthropic
core/llm.py:692

File Tree

29 files · 240.0 KB · 6548 lines
Python 14f · 4387L Markdown 7f · 1057L JavaScript 3f · 606L Shell 3f · 325L TypeScript 1f · 161L Text 1f · 12L
├─ 📁 core
│ ├─ 🐍 __init__.py Python 5L · 312 B
│ ├─ 🐍 crypto.py Python 60L · 1.7 KB
│ ├─ 🐍 db.py Python 404L · 13.5 KB
│ ├─ 🐍 keychain.py Python 284L · 9.3 KB
│ ├─ 🐍 llm.py Python 735L · 23.7 KB
│ ├─ 🐍 models.py Python 46L · 1009 B
│ └─ 🐍 session.py Python 450L · 16.4 KB
├─ 📁 proactive
│ ├─ 📁 hooks
│ │ └─ 📁 openclaw
│ │ ├─ 📜 handler.js JavaScript 152L · 5.0 KB
│ │ ├─ 📜 handler.ts TypeScript 161L · 5.6 KB
│ │ └─ 📝 HOOK.md Markdown 39L · 1.2 KB
│ ├─ 📁 scripts
│ │ └─ 📜 proactive-check.js JavaScript 284L · 10.0 KB
│ ├─ 📜 proactive-check.js JavaScript 170L · 6.1 KB
│ └─ 📝 README.md Markdown 88L · 2.1 KB
├─ 📁 tests
│ ├─ 📁 test_api
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 test_recall.py Python 104L · 3.8 KB
│ │ └─ 🐍 test_status.py Python 34L · 1.0 KB
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 conftest.py Python 46L · 1.1 KB
│ └─ 🐍 test_crypto.py Python 50L · 1.7 KB
├─ 🐍 amber_hunter.py Python 2169L · 84.4 KB
├─ 📝 CHANGELOG.md Markdown 287L · 16.0 KB
├─ 📝 CLAUDE.md Markdown 28L · 1.0 KB
├─ 🔧 freeze.sh Shell 59L · 1.7 KB
├─ 🔧 install.sh Shell 188L · 7.5 KB
├─ 📝 README.md Markdown 261L · 8.8 KB
├─ 📝 RELEASE_CHECKLIST.md Markdown 46L · 1.5 KB
├─ 🔧 release.sh Shell 78L · 2.9 KB
├─ 📄 requirements.txt Text 12L · 202 B
└─ 📝 SKILL.md Markdown 308L · 12.3 KB

Dependencies 8 items

PackageVersionSourceKnown VulnsNotes
fastapi 0.115.0 pip No Lower bound only, no upper cap
uvicorn 0.30.0 pip No Lower bound only
pydantic 2.9.0 pip No Lower bound only
cryptography 43.0.0 pip No Lower bound only
httpx 0.27.0 pip No Lower bound only
sentence-transformers >=2.2.0 pip No Version not pinned, ~90MB ML model download at install time
numpy >=1.24.0 pip No Version not pinned
pytest >=8.0.0 pip No Test only, not shipped

Security Positives

✓ E2E AES-256-GCM encryption with PBKDF2-HMAC-SHA256 key derivation (100k iterations)
✓ master_password stored in OS Keychain (macOS security, Linux secret-tool, Windows cmdkey)
✓ Local service restricted to localhost:18998 — no remote exposure
✓ Cloud sync payload is E2E encrypted before upload; huper.org never sees plaintext
✓ No base64/eval obfuscation or dynamic code execution patterns
✓ No reverse shell, C2 infrastructure, or data exfiltration to unexpected hosts
✓ All external network IOCs map to declared API endpoints (huper.org, LLM providers)
✓ Review queue requires user approval before memories become permanent
✓ SKILL.md is comprehensive and accurately describes capabilities
✓ Comprehensive CORS restrictions to declared origins only