crewai-team 安全扫描报告 — 可疑 | ClawSafe

38 /100

crewai-team

使用 CrewAI 多 Agent 团队进行产品需求分析和 PRD 生成

Skill contains hardcoded API credentials and undocumented network access, but implements a legitimate CrewAI workflow wrapper without malicious code execution.

技能名称crewai-team

分析耗时89.9s

引擎pi

⚠

谨慎使用

Remove all hardcoded API keys from source files and migrate to environment variables or a secrets manager. Declare network access in SKILL.md. Pin all dependency versions. Audit the hardcoded key sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b — if real, rotate immediately as it appears in 15 Python files.

攻击链 3 步

◎

入口 Attacker reads any Python source file to extract hardcoded API key

team_config_discussion.py:12

⬡

提权 Attacker uses extracted DashScope API key for unauthorized LLM API calls

N/A

◉

影响 Victim incurs unauthorized billing charges on DashScope account

N/A

安全发现 4 项

严重性	安全发现	位置
高危	Hardcoded API credential in 15 Python files 凭证窃取 The DashScope API key 'sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b' is hardcoded inline in all team_config_.py and run_.py files. This key is written directly into source code, making it trivially extractable by anyone with read access to the skill. If this is a real key, it enables unauthorized API usage and potential billing fraud on the account owner's DashScope subscription. `DASHSCOPE_API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"` → Remove all hardcoded keys. Use os.environ.get('DASHSCOPE_API_KEY') exclusively. Store the real key in .env (gitignored) or a secrets manager. Rotate the key immediately if it is real.	`team_config_discussion.py:12`
高危	Network access not declared in SKILL.md 文档欺骗 SKILL.md declares 'network: NONE' but the skill makes outbound HTTPS API calls to https://coding.dashscope.aliyuncs.com/v1. This is the primary functionality of the skill (calling LLM APIs), yet it is completely undeclared in the skill definition. `metadata declares no network access but all Python files call dashscope.aliyuncs.com` → Update SKILL.md to declare network:READ or network:WRITE. This is the most impactful documentation gap.	`SKILL.md:1`
中危	All dependencies unpinned 供应链 requirements.txt has zero version constraints for all 5 packages (crewai>=0.1.0, crewai-tools>=0.0.1, langchain-community>=0.0.1, langchain-openai>=0.0.1, duckduckgo-search>=4.0.0). This enables supply chain attacks through dependency confusion or malicious package updates. `crewai>=0.1.0` → Pin exact versions for all dependencies to known-good releases.	`requirements.txt:1`
低危	curl\|sh pattern documented without justification 文档欺骗 USAGE.md:16 documents 'curl -LsSf https://astral.sh/uv/install.sh \| sh' for installing the uv package manager. While this is a documented CLI tool, it is not declared as necessary shell access in SKILL.md and is not executed by any Python code — only described in prose. `curl -LsSf https://astral.sh/uv/install.sh \| sh` → Document shell:WRITE requirement in SKILL.md if shell access is truly needed, or remove the curl\|sh instructions.	`USAGE.md:16`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Uses os.path operations and open() for file writes (prd_*.md output files)
网络访问	`NONE`	`WRITE`	✗ 越权	Makes HTTPS POST to https://coding.dashscope.aliyuncs.com/v1 without SKILL.md de…
命令执行	`NONE`	`NONE`	—	No subprocess/shell execution in any Python code; curl\|sh only in documentation
环境变量	`NONE`	`WRITE`	✓ 一致	Sets os.environ['OPENAI_API_KEY'] and ['OPENAI_API_BASE'] in run_*.py files
数据库	`NONE`	`NONE`	—	No database access
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation

1 严重 4 高危 9 项发现

💀

严重危险命令危险 Shell 命令

curl -LsSf https://astral.sh/uv/install.sh | sh

USAGE.md:16

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="sk-your-actual-key-here"

COMPLETE.md:55

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="sk-your-openai-key-here"

SETUP.md:47

🔑

高危 API 密钥疑似硬编码凭证

API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

team_config_discussion.py:12

🔑

高危 API 密钥疑似硬编码凭证

api_key = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

team_config_simple.py:13

🔗

中危外部 URL 外部 URL

https://dashscope.console.aliyun.com/

COMPLETE.md:52

🔗

中危外部 URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions

SETUP.md:83

🔗

中危外部 URL 外部 URL

https://astral.sh/uv/install.sh

USAGE.md:16

🔗

中危外部 URL 外部 URL

https://coding.dashscope.aliyuncs.com/v1

USAGE.md:124

目录结构

29 文件 · 146.5 KB · 4670 行

Python 15f · 2520L Markdown 13f · 2145L Text 1f · 5L

├─ 📝 COMPLETE.md Markdown 115L · 2.8 KB

├─ 📝 HOWTO_WORK.md Markdown 301L · 7.7 KB

├─ 📝 PARALLEL_DISCUSSION.md Markdown 236L · 5.7 KB

├─ 📝 prd_minimal_20260310_160645.md Markdown 44L · 2.3 KB

├─ 📝 prd_minimal_20260310_160746.md Markdown 46L · 2.3 KB

├─ 📝 prd_mobile_20260310_162722.md Markdown 50L · 3.0 KB

├─ 📝 prd_mobile_20260310_163256.md Markdown 50L · 3.0 KB

├─ 📝 prd_sequential_20260310_154832.md Markdown 331L · 15.9 KB

├─ 📝 README.md Markdown 116L · 2.4 KB

├─ 📄 requirements.txt Text 5L · 110 B

├─ 🐍 run_discussion.py Python 88L · 2.8 KB

├─ 🐍 run_hierarchical.py Python 95L · 3.2 KB

├─ 🐍 run_interactive.py Python 69L · 1.9 KB

├─ 🐍 run_minimal.py Python 92L · 3.0 KB

├─ 🐍 run_mobile.py Python 92L · 3.1 KB

├─ 🐍 run_openclaw.py Python 45L · 1.1 KB

├─ 🐍 run_team.py Python 52L · 1.2 KB

├─ 🐍 run_with_log.py Python 157L · 6.0 KB

├─ 📝 SETUP.md Markdown 113L · 2.4 KB

├─ 📝 SKILL.md Markdown 69L · 1.6 KB

├─ 🐍 team_config_discussion.py Python 249L · 8.3 KB

├─ 🐍 team_config_hierarchical.py Python 288L · 9.2 KB

├─ 🐍 team_config_minimal.py Python 210L · 6.3 KB

├─ 🐍 team_config_mobile.py Python 213L · 7.0 KB

├─ 🐍 team_config_multi_model.py Python 316L · 9.8 KB

├─ 🐍 team_config_simple.py Python 259L · 8.0 KB

├─ 🐍 team_config.py Python 295L · 9.5 KB

├─ 📝 USAGE.md Markdown 208L · 4.4 KB

└─ 📝 VIEW_DISCUSSION_LOG.md Markdown 466L · 12.7 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`crewai`	`>=0.1.0 (unpinned)`	pip	否	Major version pinned but no upper bound; latest 1.x could introduce breaking changes
`crewai-tools`	`>=0.0.1 (unpinned)`	pip	否	No version constraints
`langchain-community`	`>=0.0.1 (unpinned)`	pip	否	No version constraints; langchain has had CVEs historically
`langchain-openai`	`>=0.0.1 (unpinned)`	pip	否	No version constraints
`duckduckgo-search`	`>=4.0.0 (unpinned)`	pip	否	No version constraints

安全亮点

✓ No actual shell command execution in Python code — the curl|sh is only in documentation

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) — only writes to cwd for PRD output files

✓ No base64-encoded payloads, eval(), or obfuscated code

✓ No reverse shell, C2 communication, or data exfiltration infrastructure

✓ DuckDuckGo search is used via langchain tool (documented API), not raw HTTP exfiltration

✓ PRDs are written to local files in cwd only, not sent to external servers