安全决策报告
skill-security-vet
Undeclared computer-wide filesystem scanning and auto-quarantine capabilities discovered - SKILL.md only mentions skill scanning but code includes full drive scanning mode.
最直接的威胁证据
01
User installs skill-security-vet believing it only scans installed skills 初始入口 · SKILL.md
02
Attacker or compromised tool uses 'local' or 'full' mode to scan entire computer filesystem reconnaissance · vet.ts
03
Tool iterates through directories searching for sensitive files and credential patterns reconnaissance · vet.ts
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 2 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
User installs skill-security-vet believing it only scans installed skills
初始入口 · SKILL.md:1
02
Attacker or compromised tool uses 'local' or 'full' mode to scan entire computer filesystem
reconnaissance · vet.ts:219
03
Tool iterates through directories searching for sensitive files and credential patterns
reconnaissance · vet.ts:239
04
Files matching danger patterns are auto-quarantined or removed without user consent
最终危害 · vet.ts:160
风险分是怎么被拉高的
Undeclared filesystem scanning +25
SKILL.md describes only skill scanning, but vet.ts has 'local' and 'full' modes scanning entire computer drives
Undeclared auto-quarantine/removal +20
Automatic file quarantine and removal without explicit user consent per operation
Deep filesystem traversal +15
Scans all directories up to depth 5, examining all script file types across the entire system
No declared shell/network access needed +8
Skill-scanning should not require full computer filesystem access
最关键的证据
高危
Undeclared local/full computer scanning mode
vet.ts contains 'local' and 'full' scanning modes that recursively scan entire system drives (C:, D:, E:, F: on Windows, / on Unix) up to depth 5, examining 10,000+ files. SKILL.md only describes scanning installed skills in ~/.opencode/skill.
vet.ts:219 Remove local/full modes or clearly document computer-wide scanning capability in SKILL.md
高危
Automatic file quarantine without consent
The tool automatically quarantines (copies and deletes) or removes files identified as dangerous without prompting for user consent per operation. Configured via --auto flag.
vet.ts:160 Require explicit user confirmation before auto-quarantine, or document this behavior prominently
中危
Undocumented VirusTotal API integration
Code integrates with VirusTotal API to submit file hashes for scanning. While the SKILL.md mentions VirusTotal, it doesn't detail the API endpoint or that file hashes are sent externally.
vet.ts:127 Document what data is sent to VirusTotal (file hashes only vs content)
中危
Suspicious file pattern matching
Tool scans for credential-related patterns including decodeURIComponent with password/token, keyloggers, remote connection attempts (SSH/RDP). While legitimate for security scanning, combined with undeclared full drive access this could be used for credential harvesting.
vet.ts:50 Clarify intent - a skill security tool should not need to detect password theft patterns on user's computer
低危
Broad exclusion list suggests awareness of sensitive areas
The excludeSet includes AppData/Local/Temp, Windows, Program Files, etc. This suggests the tool is aware of and avoids Windows system areas while potentially targeting user data areas.
vet.ts:239 Review exclusion list - consider if this is protective or targeted
声明能力 vs 实际能力
文件系统 阻止
声明 READ
→ 推断 READ+WRITE
vet.ts:219-263 (scanLocalComputer function scans entire drives) 网络访问 阻止
声明 NONE
→ 推断 READ
vet.ts:127-154 (VirusTotal API calls not mentioned in docs) 命令执行 通过
声明 NONE
→ 推断 NONE
No shell execution found 可疑产物与外联
中危 外部 URL
https://virustotal.com SKILL.md:46
中危 外部 URL
https://www.virustotal.com/api/v3/files/$ vet.ts:127
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| bun | bundled | system | 否 | Bun runtime required |
文件构成
3 个文件 · 885 行
TypeScript 2 个文件 · 768 行Markdown 1 个文件 · 117 行
需关注文件 · 2
vet.ts Undeclared local/full computer scanning mode · Automatic file quarantine without consent · Undocumented VirusTotal API integration · Suspicious file pattern matching · Broad exclusion list suggests awareness of sensitive areas · https://www.virustotal.com/api/v3/files/$
SKILL.md https://virustotal.com
其他文件 · startup-scan.ts
安全亮点
Security scanning patterns are well-defined and comprehensive
Uses VirusTotal for external threat intelligence (legitimate security tool feature)
No direct exfiltration of credentials observed - only pattern matching
No reverse shell, C2, or direct malicious code execution
API key stored locally in config directory, not hardcoded