中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
codex-swarm
OpenAI Codex-native multi-agent swarm orchestration for parallel coding with git worktrees, tmux tracking, endorsement gates, native code review, integration merging, and webhook notifications.
A legitimate OpenAI Codex multi-agent orchestration skill. Network access to Telegram and webhooks is used for notifications but is only partially declared in SKILL.md. No credential theft, data exfiltration, or obfuscation detected.
技能名称codex-swarm
分析耗时63.0s
引擎pi
可以安装
Document the Telegram API integration explicitly in SKILL.md and remove or pin the optional config file sourcing pattern to avoid unexpected variable injection.

安全发现 3 项

严重性 安全发现 位置
低危
Telegram API integration not explicitly declared 文档欺骗
scripts/notify.sh makes curl requests to https://api.telegram.org/bot${TOKEN}/sendMessage using SWARM_TELEGRAM_BOT_TOKEN and SWARM_TELEGRAM_CHAT_ID. SKILL.md mentions 'webhook notifications' and 'Telegram notification' tables but does not enumerate the exact API endpoint or the token variables required.
curl -s "https://api.telegram.org/bot${SWARM_TELEGRAM_BOT_TOKEN}/sendMessage"
→ Add a dedicated 'Telegram Setup' section in SKILL.md documenting the required environment variables and the notification mechanism.
 scripts/notify.sh:22
低危
Optional config sourcing not documented 文档欺骗
Multiple scripts contain [ -f "$SWARM_DIR/config/swarm.conf" ] && source ... which would load arbitrary shell variables. The config file is not distributed in the package. This pattern could load unexpected values if a config file is later created.
[ -f "$SWARM_DIR/config/swarm.conf" ] && source "$SWARM_DIR/config/swarm.conf"
→ Document the expected config variables or remove the optional sourcing and require explicit variable passing.
 scripts/notify.sh:8
提示
Runner scripts written to logs directory with embedded prompt content 敏感访问
spawn-agent.sh writes a runner script to $SWARM_DIR/logs/${TMUX_SESSION}-run.sh containing the prompt content. If the logs directory is world-readable, prompt content could be exposed. The PROMPT_FILE path itself is not sanitized against path injection.
cat > "$RUNNER" << RUNEOF ... - < "$PROMPT_FILE" ... RUNEOF
→ Ensure $SWARM_DIR/logs has restricted permissions (0700) and consider adding path validation for PROMPT_FILE.
 scripts/spawn-agent.sh:82
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 spawn-agent.sh:80-100 writes runner script; cleanup.sh kills tmux sessions
文件系统 WRITE WRITE ✓ 一致 spawn-agent.sh:68-69 writes PROMPT_FILE to $SWARM_DIR/logs/
网络访问 READ WRITE ✓ 一致 notify.sh:22-27 uses curl POST to webhook URL and Telegram API — declared as 'we…
环境变量 NONE READ ✓ 一致 notify.sh reads SWARM_TELEGRAM_BOT_TOKEN, SWARM_TELEGRAM_CHAT_ID, SWARM_WEBHOOK_…
技能调用 NONE NONE No skill_invoke calls detected
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser access
数据库 NONE NONE No database access
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.telegram.org/bot$
scripts/notify.sh:22

目录结构

10 文件 · 17.6 KB · 504 行
Shell 8f · 417L Markdown 1f · 63L JSON 1f · 24L
├─ 📁 config
│ └─ 📋 duty-table.json JSON 24L · 601 B
├─ 📁 scripts
│ ├─ 🔧 check-agents.sh Shell 24L · 757 B
│ ├─ 🔧 cleanup.sh Shell 45L · 1.2 KB
│ ├─ 🔧 endorse-task.sh Shell 8L · 391 B
│ ├─ 🔧 integration-watcher.sh Shell 75L · 2.6 KB
│ ├─ 🔧 notify-on-complete.sh Shell 41L · 1.5 KB
│ ├─ 🔧 notify.sh Shell 36L · 1.0 KB
│ ├─ 🔧 spawn-agent.sh Shell 142L · 5.4 KB
│ └─ 🔧 spawn-batch.sh Shell 46L · 1.8 KB
└─ 📝 SKILL.md Markdown 63L · 2.4 KB

安全亮点

✓ Endorsement gate in spawn-agent.sh requires a pre-created approval file before spawning any agent, providing a manual safety check
✓ Cooldown mechanism (30s default) prevents rapid re-spawning of agents without re-endorsement
✓ All network calls are outbound notifications (POST to configured webhooks/Telegram) — no inbound C2 connections or unsolicited network behavior
✓ No base64, eval(), or obfuscated code patterns found across all 8 shell scripts
✓ No credential harvesting — SWARM_TELEGRAM_BOT_TOKEN is used only to send messages, not to exfiltrate tokens
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
✓ No supply chain risk — no package dependencies, no pip/npm install, no remote script download
✓ Legitimate use of subprocess for git operations (worktree, branch, merge), tmux session management, and codex CLI invocation — all directly relevant to the stated multi-agent orchestration purpose