Skill Trust Decision
crewai-team
Skill contains hardcoded API credentials and undocumented network access, but implements a legitimate CrewAI workflow wrapper without malicious code execution.
Most direct threat evidence
01
Attacker reads any Python source file to extract hardcoded API key Entry · team_config_discussion.py
02
Attacker uses extracted DashScope API key for unauthorized LLM API calls exploitation · N/A
03
Victim incurs unauthorized billing charges on DashScope account Impact · N/A
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
5 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
Attacker reads any Python source file to extract hardcoded API key
Entry · team_config_discussion.py:12
02
Attacker uses extracted DashScope API key for unauthorized LLM API calls
exploitation · N/A
03
Victim incurs unauthorized billing charges on DashScope account
Impact · N/A
What drove the risk score up
Hardcoded API credential in 15 Python files +20
DASHSCOPE_API_KEY='sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b' is hardcoded inline in team_config_*.py and run_*.py files; if this is a real key it enables unauthorized API usage and billing fraud
Undeclared network access +10
SKILL.md declares network:NONE but code makes outbound HTTPS calls to dashscope.aliyuncs.com without disclosure
Unpinned dependencies +5
requirements.txt has no version constraints: crewai>=0.1.0, crewai-tools>=0.0.1, etc., enabling supply chain attacks
curl|sh in documentation +3
USAGE.md:16 instructs pipe curl to sh for uv installation; not actual code execution but documents dangerous pattern
Most important evidence
High Credential Theft
Hardcoded API credential in 15 Python files
The DashScope API key 'sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b' is hardcoded inline in all team_config_*.py and run_*.py files. This key is written directly into source code, making it trivially extractable by anyone with read access to the skill. If this is a real key, it enables unauthorized API usage and potential billing fraud on the account owner's DashScope subscription.
team_config_discussion.py:12 Remove all hardcoded keys. Use os.environ.get('DASHSCOPE_API_KEY') exclusively. Store the real key in .env (gitignored) or a secrets manager. Rotate the key immediately if it is real.
High Doc Mismatch
Network access not declared in SKILL.md
SKILL.md declares 'network: NONE' but the skill makes outbound HTTPS API calls to https://coding.dashscope.aliyuncs.com/v1. This is the primary functionality of the skill (calling LLM APIs), yet it is completely undeclared in the skill definition.
SKILL.md:1 Update SKILL.md to declare network:READ or network:WRITE. This is the most impactful documentation gap.
Medium Supply Chain
All dependencies unpinned
requirements.txt has zero version constraints for all 5 packages (crewai>=0.1.0, crewai-tools>=0.0.1, langchain-community>=0.0.1, langchain-openai>=0.0.1, duckduckgo-search>=4.0.0). This enables supply chain attacks through dependency confusion or malicious package updates.
requirements.txt:1 Pin exact versions for all dependencies to known-good releases.
Low Doc Mismatch
curl|sh pattern documented without justification
USAGE.md:16 documents 'curl -LsSf https://astral.sh/uv/install.sh | sh' for installing the uv package manager. While this is a documented CLI tool, it is not declared as necessary shell access in SKILL.md and is not executed by any Python code — only described in prose.
USAGE.md:16 Document shell:WRITE requirement in SKILL.md if shell access is truly needed, or remove the curl|sh instructions.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred READ
Uses os.path operations and open() for file writes (prd_*.md output files) Network Block
Declared NONE
→ Inferred WRITE
Makes HTTPS POST to https://coding.dashscope.aliyuncs.com/v1 without SKILL.md declaration Shell Pass
Declared NONE
→ Inferred NONE
No subprocess/shell execution in any Python code; curl|sh only in documentation Environment Pass
Declared NONE
→ Inferred WRITE
Sets os.environ['OPENAI_API_KEY'] and ['OPENAI_API_BASE'] in run_*.py files Database Pass
Declared NONE
→ Inferred NONE
No database access Skill Invoke Pass
Declared NONE
→ Inferred NONE
No cross-skill invocation Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access Browser Pass
Declared NONE
→ Inferred NONE
No browser automation Suspicious artifacts and egress
Critical Dangerous Command
curl -LsSf https://astral.sh/uv/install.sh | sh USAGE.md:16
High API Key
API_KEY="sk-your-actual-key-here" COMPLETE.md:55
High API Key
API_KEY="sk-your-openai-key-here" SETUP.md:47
High API Key
API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b" team_config_discussion.py:12
High API Key
api_key = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b" team_config_simple.py:13
Medium External URL
https://dashscope.console.aliyun.com/ COMPLETE.md:52
Medium External URL
https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions SETUP.md:83
Medium External URL
https://astral.sh/uv/install.sh USAGE.md:16
Medium External URL
https://coding.dashscope.aliyuncs.com/v1 USAGE.md:124
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| crewai | >=0.1.0 (unpinned) | pip | No | Major version pinned but no upper bound; latest 1.x could introduce breaking changes |
| crewai-tools | >=0.0.1 (unpinned) | pip | No | No version constraints |
| langchain-community | >=0.0.1 (unpinned) | pip | No | No version constraints; langchain has had CVEs historically |
| langchain-openai | >=0.0.1 (unpinned) | pip | No | No version constraints |
| duckduckgo-search | >=4.0.0 (unpinned) | pip | No | No version constraints |
File composition
29 files · 4670 lines
Python 15 files · 2520 linesMarkdown 13 files · 2145 linesText 1 files · 5 lines
Files of concern · 2
team_config_discussion.py Hardcoded API credential in 15 Python files · API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"
team_config_simple.py api_key = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"
Other files · prd_sequential_20260310_154832.md · VIEW_DISCUSSION_LOG.md · team_config_multi_model.py · team_config.py · team_config_hierarchical.py · HOWTO_WORK.md +4
Security positives
No actual shell command execution in Python code — the curl|sh is only in documentation
No access to sensitive paths (~/.ssh, ~/.aws, .env) — only writes to cwd for PRD output files
No base64-encoded payloads, eval(), or obfuscated code
No reverse shell, C2 communication, or data exfiltration infrastructure
DuckDuckGo search is used via langchain tool (documented API), not raw HTTP exfiltration
PRDs are written to local files in cwd only, not sent to external servers