crewai-team Security Report — Suspicious | ClawSafe

38 /100

crewai-team

使用 CrewAI 多 Agent 团队进行产品需求分析和 PRD 生成

Skill contains hardcoded API credentials and undocumented network access, but implements a legitimate CrewAI workflow wrapper without malicious code execution.

Skill Namecrewai-team

Duration89.9s

Enginepi

⚠

Use with caution

Remove all hardcoded API keys from source files and migrate to environment variables or a secrets manager. Declare network access in SKILL.md. Pin all dependency versions. Audit the hardcoded key sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b — if real, rotate immediately as it appears in 15 Python files.

Attack Chain 3 steps

◎

Entry Attacker reads any Python source file to extract hardcoded API key

team_config_discussion.py:12

⬡

Escalation Attacker uses extracted DashScope API key for unauthorized LLM API calls

N/A

◉

Impact Victim incurs unauthorized billing charges on DashScope account

N/A

Findings 4 items

Severity	Finding	Location
High	Hardcoded API credential in 15 Python files Credential Theft The DashScope API key 'sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b' is hardcoded inline in all team_config_.py and run_.py files. This key is written directly into source code, making it trivially extractable by anyone with read access to the skill. If this is a real key, it enables unauthorized API usage and potential billing fraud on the account owner's DashScope subscription. `DASHSCOPE_API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"` → Remove all hardcoded keys. Use os.environ.get('DASHSCOPE_API_KEY') exclusively. Store the real key in .env (gitignored) or a secrets manager. Rotate the key immediately if it is real.	`team_config_discussion.py:12`
High	Network access not declared in SKILL.md Doc Mismatch SKILL.md declares 'network: NONE' but the skill makes outbound HTTPS API calls to https://coding.dashscope.aliyuncs.com/v1. This is the primary functionality of the skill (calling LLM APIs), yet it is completely undeclared in the skill definition. `metadata declares no network access but all Python files call dashscope.aliyuncs.com` → Update SKILL.md to declare network:READ or network:WRITE. This is the most impactful documentation gap.	`SKILL.md:1`
Medium	All dependencies unpinned Supply Chain requirements.txt has zero version constraints for all 5 packages (crewai>=0.1.0, crewai-tools>=0.0.1, langchain-community>=0.0.1, langchain-openai>=0.0.1, duckduckgo-search>=4.0.0). This enables supply chain attacks through dependency confusion or malicious package updates. `crewai>=0.1.0` → Pin exact versions for all dependencies to known-good releases.	`requirements.txt:1`
Low	curl\|sh pattern documented without justification Doc Mismatch USAGE.md:16 documents 'curl -LsSf https://astral.sh/uv/install.sh \| sh' for installing the uv package manager. While this is a documented CLI tool, it is not declared as necessary shell access in SKILL.md and is not executed by any Python code — only described in prose. `curl -LsSf https://astral.sh/uv/install.sh \| sh` → Document shell:WRITE requirement in SKILL.md if shell access is truly needed, or remove the curl\|sh instructions.	`USAGE.md:16`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	Uses os.path operations and open() for file writes (prd_*.md output files)
Network	`NONE`	`WRITE`	✗ Violation	Makes HTTPS POST to https://coding.dashscope.aliyuncs.com/v1 without SKILL.md de…
Shell	`NONE`	`NONE`	—	No subprocess/shell execution in any Python code; curl\|sh only in documentation
Environment	`NONE`	`WRITE`	✓ Aligned	Sets os.environ['OPENAI_API_KEY'] and ['OPENAI_API_BASE'] in run_*.py files
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation

1 Critical 4 High 9 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -LsSf https://astral.sh/uv/install.sh | sh

USAGE.md:16

🔑

High API Key 疑似硬编码凭证

API_KEY="sk-your-actual-key-here"

COMPLETE.md:55

🔑

High API Key 疑似硬编码凭证

API_KEY="sk-your-openai-key-here"

SETUP.md:47

🔑

High API Key 疑似硬编码凭证

API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

team_config_discussion.py:12

🔑

High API Key 疑似硬编码凭证

api_key = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

team_config_simple.py:13

🔗

Medium External URL 外部 URL

https://dashscope.console.aliyun.com/

COMPLETE.md:52

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions

SETUP.md:83

🔗

Medium External URL 外部 URL

https://astral.sh/uv/install.sh

USAGE.md:16

🔗

Medium External URL 外部 URL

https://coding.dashscope.aliyuncs.com/v1

USAGE.md:124

File Tree

29 files · 146.5 KB · 4670 lines

Python 15f · 2520L Markdown 13f · 2145L Text 1f · 5L

├─ 📝 COMPLETE.md Markdown 115L · 2.8 KB

├─ 📝 HOWTO_WORK.md Markdown 301L · 7.7 KB

├─ 📝 PARALLEL_DISCUSSION.md Markdown 236L · 5.7 KB

├─ 📝 prd_minimal_20260310_160645.md Markdown 44L · 2.3 KB

├─ 📝 prd_minimal_20260310_160746.md Markdown 46L · 2.3 KB

├─ 📝 prd_mobile_20260310_162722.md Markdown 50L · 3.0 KB

├─ 📝 prd_mobile_20260310_163256.md Markdown 50L · 3.0 KB

├─ 📝 prd_sequential_20260310_154832.md Markdown 331L · 15.9 KB

├─ 📝 README.md Markdown 116L · 2.4 KB

├─ 📄 requirements.txt Text 5L · 110 B

├─ 🐍 run_discussion.py Python 88L · 2.8 KB

├─ 🐍 run_hierarchical.py Python 95L · 3.2 KB

├─ 🐍 run_interactive.py Python 69L · 1.9 KB

├─ 🐍 run_minimal.py Python 92L · 3.0 KB

├─ 🐍 run_mobile.py Python 92L · 3.1 KB

├─ 🐍 run_openclaw.py Python 45L · 1.1 KB

├─ 🐍 run_team.py Python 52L · 1.2 KB

├─ 🐍 run_with_log.py Python 157L · 6.0 KB

├─ 📝 SETUP.md Markdown 113L · 2.4 KB

├─ 📝 SKILL.md Markdown 69L · 1.6 KB

├─ 🐍 team_config_discussion.py Python 249L · 8.3 KB

├─ 🐍 team_config_hierarchical.py Python 288L · 9.2 KB

├─ 🐍 team_config_minimal.py Python 210L · 6.3 KB

├─ 🐍 team_config_mobile.py Python 213L · 7.0 KB

├─ 🐍 team_config_multi_model.py Python 316L · 9.8 KB

├─ 🐍 team_config_simple.py Python 259L · 8.0 KB

├─ 🐍 team_config.py Python 295L · 9.5 KB

├─ 📝 USAGE.md Markdown 208L · 4.4 KB

└─ 📝 VIEW_DISCUSSION_LOG.md Markdown 466L · 12.7 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`crewai`	`>=0.1.0 (unpinned)`	pip	No	Major version pinned but no upper bound; latest 1.x could introduce breaking changes
`crewai-tools`	`>=0.0.1 (unpinned)`	pip	No	No version constraints
`langchain-community`	`>=0.0.1 (unpinned)`	pip	No	No version constraints; langchain has had CVEs historically
`langchain-openai`	`>=0.0.1 (unpinned)`	pip	No	No version constraints
`duckduckgo-search`	`>=4.0.0 (unpinned)`	pip	No	No version constraints

Security Positives

✓ No actual shell command execution in Python code — the curl|sh is only in documentation

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) — only writes to cwd for PRD output files

✓ No base64-encoded payloads, eval(), or obfuscated code

✓ No reverse shell, C2 communication, or data exfiltration infrastructure

✓ DuckDuckGo search is used via langchain tool (documented API), not raw HTTP exfiltration

✓ PRDs are written to local files in cwd only, not sent to external servers

Scan Report

Attack Chain 3 steps

Findings 4 items

File Tree

Dependencies 5 items

Security Positives