安全决策报告
search
Skill contains hardcoded API credentials and makes undisclosed external network requests to Tavily's API, with doc-to-code mismatch on credential handling.
最直接的威胁证据
高危 凭证窃取
Hardcoded API Credential in Source Code A Tavily API key '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' is hardcoded in plugin.ts and providers/tavily.ts. This is a developer/testing key exposed in plaintext that could be harvested and abused.
plugin.ts:75 为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 5 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Hardcoded API credential +25
Tavily API key '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' embedded in source code at plugin.ts:75 and providers/tavily.ts:15
Undisclosed external network calls +20
SKILL.md does not mention Tavily API calls; user queries sent to api.tavily.com
Doc-to-code mismatch +10
Documentation presents Tavily as 'Free (dev)' feature without revealing hardcoded key usage
最关键的证据
高危 凭证窃取
Hardcoded API Credential in Source Code
A Tavily API key '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' is hardcoded in plugin.ts and providers/tavily.ts. This is a developer/testing key exposed in plaintext that could be harvested and abused.
plugin.ts:75 Remove hardcoded credentials. Require users to provide their own TAVILY_API_KEY via environment configuration. Never commit API keys to source code.
高危 数据外泄
Undisclosed External API Calls
User search queries are sent to api.tavily.com without clear disclosure in SKILL.md. This means user search behavior data is logged by Tavily's service.
providers/tavily.ts:20 Document all external API endpoints and data flows. Obtain explicit user consent for data transmission to third-party services.
中危 文档欺骗
Hardcoded Key Misrepresented as Feature
SKILL.md presents Tavily integration as a 'Free (dev)' feature without disclosing that it relies on a hardcoded development API key rather than user-provided credentials.
SKILL.md:1 Clearly document credential requirements and explain how API keys should be configured.
低危 供应链
Hardcoded Windows Path Exposes Environment
References to absolute Windows path 'D:\winopenclaw\workspace\skills\_legacy\tavily\search_tavily_news.py' suggest development on a specific machine with specific directory structure.
plugin.ts:85 Use relative paths or configuration-driven paths. Avoid exposing internal development environment structure.
低危 权限提升
Undeclared Shell Execution Capability
Code uses api.exec() for Python script execution, implying shell:WRITE capability that is not declared in SKILL.md.
plugin.ts:84 Document shell execution as a required capability if intentional, or refactor to use safer alternatives.
声明能力 vs 实际能力
网络访问 通过
声明 READ
→ 推断 WRITE
plugin.ts:75, providers/tavily.ts:15 - sends data to api.tavily.com 命令执行 通过
声明 NONE
→ 推断 WRITE
plugin.ts:84-86 uses api.exec() for Python script execution 可疑产物与外联
中危 外部 URL
http://127.0.0.1:8080 plugin.ts:74
中危 外部 URL
https://www.baidu.com/s?wd=$ plugin.ts:147
中危 外部 URL
https://cn.bing.com/search?q=$ plugin.ts:148
中危 外部 URL
https://www.google.com/search?q=$ plugin.ts:149
中危 外部 URL
https://api.tavily.com/search providers/tavily.ts:12
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| fetch | built-in | Node.js | 否 | Native fetch used for HTTP requests |
| crypto | built-in | Node.js | 否 | Used for MD5 cache key hashing |
文件构成
8 个文件 · 465 行
TypeScript 5 个文件 · 389 行YAML 1 个文件 · 46 行Markdown 1 个文件 · 25 行JSON 1 个文件 · 5 行
需关注文件 · 3
plugin.ts Hardcoded API Credential in Source Code · Hardcoded Windows Path Exposes Environment · Undeclared Shell Execution Capability · http://127.0.0.1:8080 · https://www.baidu.com/s?wd=$ · https://cn.bing.com/search?q=$ · https://www.google.com/search?q=$
providers/tavily.ts Undisclosed External API Calls · https://api.tavily.com/search
SKILL.md Hardcoded Key Misrepresented as Feature
其他文件 · skill.yaml · cache.ts · multi.ts · searxng.ts · _meta.json
安全亮点
Rate limiting implemented (20 calls/min) to prevent abuse
In-memory caching reduces redundant API calls
Local SearXNG option respects privacy by keeping searches local
Graceful fallback between search engines
No credential exfiltration or C2 communication detected