安全决策报告

crewai-team

Name: crewai-team 可信度判断报告
Item: crewai-team
Rating: 62
Author: ClawSafe

Skill contains hardcoded API credentials and undocumented network access, but implements a legitimate CrewAI workflow wrapper without malicious code execution.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 29

IOC 9

越权项 1

发现 4

最直接的威胁证据

Attacker reads any Python source file to extract hardcoded API key 初始入口 · team_config_discussion.py

Attacker uses extracted DashScope API key for unauthorized LLM API calls exploitation · N/A

Victim incurs unauthorized billing charges on DashScope account 最终危害 · N/A

为什么得出这个结论

3/4 个维度触发

阻止

声明与实际能力

发现 1 项声明之外的能力或越权行为。

阻止

隐藏执行与外联

提取到 5 个高危 IOC 或外联信号。

阻止

攻击链与高危发现

报告包含 3 步攻击链，另有 2 项高危或严重发现。

复核

依赖与供应链卫生

发现 1 项需要关注的依赖或供应链线索。

攻击链

Attacker reads any Python source file to extract hardcoded API key

初始入口 · team_config_discussion.py:12

Attacker uses extracted DashScope API key for unauthorized LLM API calls

exploitation · N/A

Victim incurs unauthorized billing charges on DashScope account

最终危害 · N/A

风险分是怎么被拉高的

Hardcoded API credential in 15 Python files +20

DASHSCOPE_API_KEY='sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b' is hardcoded inline in team_config_*.py and run_*.py files; if this is a real key it enables unauthorized API usage and billing fraud

Undeclared network access +10

SKILL.md declares network:NONE but code makes outbound HTTPS calls to dashscope.aliyuncs.com without disclosure

Unpinned dependencies +5

requirements.txt has no version constraints: crewai>=0.1.0, crewai-tools>=0.0.1, etc., enabling supply chain attacks

curl|sh in documentation +3

USAGE.md:16 instructs pipe curl to sh for uv installation; not actual code execution but documents dangerous pattern

最关键的证据

高危凭证窃取

Hardcoded API credential in 15 Python files

The DashScope API key 'sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b' is hardcoded inline in all team_config_*.py and run_*.py files. This key is written directly into source code, making it trivially extractable by anyone with read access to the skill. If this is a real key, it enables unauthorized API usage and potential billing fraud on the account owner's DashScope subscription.

team_config_discussion.py:12

Remove all hardcoded keys. Use os.environ.get('DASHSCOPE_API_KEY') exclusively. Store the real key in .env (gitignored) or a secrets manager. Rotate the key immediately if it is real.

高危文档欺骗

Network access not declared in SKILL.md

SKILL.md declares 'network: NONE' but the skill makes outbound HTTPS API calls to https://coding.dashscope.aliyuncs.com/v1. This is the primary functionality of the skill (calling LLM APIs), yet it is completely undeclared in the skill definition.

SKILL.md:1

Update SKILL.md to declare network:READ or network:WRITE. This is the most impactful documentation gap.

中危供应链

All dependencies unpinned

requirements.txt has zero version constraints for all 5 packages (crewai>=0.1.0, crewai-tools>=0.0.1, langchain-community>=0.0.1, langchain-openai>=0.0.1, duckduckgo-search>=4.0.0). This enables supply chain attacks through dependency confusion or malicious package updates.

requirements.txt:1

Pin exact versions for all dependencies to known-good releases.

低危文档欺骗

curl|sh pattern documented without justification

USAGE.md:16 documents 'curl -LsSf https://astral.sh/uv/install.sh | sh' for installing the uv package manager. While this is a documented CLI tool, it is not declared as necessary shell access in SKILL.md and is not executed by any Python code — only described in prose.

USAGE.md:16

Document shell:WRITE requirement in SKILL.md if shell access is truly needed, or remove the curl|sh instructions.

声明能力 vs 实际能力

文件系统 通过

声明 NONE

→

推断 READ

Uses os.path operations and open() for file writes (prd_*.md output files)

网络访问 阻止

声明 NONE

→

推断 WRITE

Makes HTTPS POST to https://coding.dashscope.aliyuncs.com/v1 without SKILL.md declaration

命令执行 通过

声明 NONE

→

推断 NONE

No subprocess/shell execution in any Python code; curl|sh only in documentation

环境变量 通过

声明 NONE

→

推断 WRITE

Sets os.environ['OPENAI_API_KEY'] and ['OPENAI_API_BASE'] in run_*.py files

数据库 通过

声明 NONE

→

推断 NONE

No database access

技能调用 通过

声明 NONE

→

推断 NONE

No cross-skill invocation

剪贴板 通过

声明 NONE

→

推断 NONE

No clipboard access

浏览器 通过

声明 NONE

→

推断 NONE

No browser automation

可疑产物与外联

严重危险命令

curl -LsSf https://astral.sh/uv/install.sh | sh

USAGE.md:16

高危 API 密钥

API_KEY="sk-your-actual-key-here"

COMPLETE.md:55

高危 API 密钥

API_KEY="sk-your-openai-key-here"

SETUP.md:47

高危 API 密钥

API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

team_config_discussion.py:12

高危 API 密钥

api_key = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

team_config_simple.py:13

中危外部 URL

https://dashscope.console.aliyun.com/

COMPLETE.md:52

中危外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions

SETUP.md:83

中危外部 URL

https://astral.sh/uv/install.sh

USAGE.md:16

中危外部 URL

https://coding.dashscope.aliyuncs.com/v1

USAGE.md:124

依赖与供应链

包名	版本	来源	漏洞	备注
crewai	`>=0.1.0 (unpinned)`	pip	否	Major version pinned but no upper bound; latest 1.x could introduce breaking changes
crewai-tools	`>=0.0.1 (unpinned)`	pip	否	No version constraints
langchain-community	`>=0.0.1 (unpinned)`	pip	否	No version constraints; langchain has had CVEs historically
langchain-openai	`>=0.0.1 (unpinned)`	pip	否	No version constraints
duckduckgo-search	`>=4.0.0 (unpinned)`	pip	否	No version constraints

文件构成

29 个文件 · 4670 行

Python 15 个文件 · 2520 行Markdown 13 个文件 · 2145 行Text 1 个文件 · 5 行

需关注文件 · 2

team_config_discussion.py Python · 249 行

Hardcoded API credential in 15 Python files · API_KEY = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

team_config_simple.py Python · 259 行

api_key = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b"

其他文件 · prd_sequential_20260310_154832.md · VIEW_DISCUSSION_LOG.md · team_config_multi_model.py · team_config.py · team_config_hierarchical.py · HOWTO_WORK.md +4

29 文件 · 146.5 KB · 4670 行

Python 15f · 2520LMarkdown 13f · 2145LText 1f · 5L

├─ 📝 COMPLETE.md Markdown 115L · 2.8 KB

├─ 📝 HOWTO_WORK.md Markdown 301L · 7.7 KB

├─ 📝 PARALLEL_DISCUSSION.md Markdown 236L · 5.7 KB

├─ 📝 README.md Markdown 116L · 2.4 KB

├─ 📝 SETUP.md Markdown 113L · 2.4 KB

├─ 📝 SKILL.md Markdown 69L · 1.6 KB

├─ 📝 USAGE.md Markdown 208L · 4.4 KB

├─ 📝 VIEW_DISCUSSION_LOG.md Markdown 466L · 12.7 KB

├─ 📝 prd_minimal_20260310_160645.md Markdown 44L · 2.3 KB

├─ 📝 prd_minimal_20260310_160746.md Markdown 46L · 2.3 KB

├─ 📝 prd_mobile_20260310_162722.md Markdown 50L · 3.0 KB

├─ 📝 prd_mobile_20260310_163256.md Markdown 50L · 3.0 KB

├─ 📝 prd_sequential_20260310_154832.md Markdown 331L · 15.9 KB

├─ 📄 requirements.txt Text 5L · 110 B

├─ 🐍 run_discussion.py Python 88L · 2.8 KB

├─ 🐍 run_hierarchical.py Python 95L · 3.2 KB

├─ 🐍 run_interactive.py Python 69L · 1.9 KB

├─ 🐍 run_minimal.py Python 92L · 3.0 KB

├─ 🐍 run_mobile.py Python 92L · 3.1 KB

├─ 🐍 run_openclaw.py Python 45L · 1.1 KB

├─ 🐍 run_team.py Python 52L · 1.2 KB

├─ 🐍 run_with_log.py Python 157L · 6.0 KB

├─ 🐍 team_config.py Python 295L · 9.5 KB

├─ 🐍 team_config_discussion.py Python 249L · 8.3 KB

├─ 🐍 team_config_hierarchical.py Python 288L · 9.2 KB

├─ 🐍 team_config_minimal.py Python 210L · 6.3 KB

├─ 🐍 team_config_mobile.py Python 213L · 7.0 KB

├─ 🐍 team_config_multi_model.py Python 316L · 9.8 KB

└─ 🐍 team_config_simple.py Python 259L · 8.0 KB

安全亮点

No actual shell command execution in Python code — the curl|sh is only in documentation

No access to sensitive paths (~/.ssh, ~/.aws, .env) — only writes to cwd for PRD output files

No base64-encoded payloads, eval(), or obfuscated code

No reverse shell, C2 communication, or data exfiltration infrastructure

DuckDuckGo search is used via langchain tool (documented API), not raw HTTP exfiltration

PRDs are written to local files in cwd only, not sent to external servers