中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 65/100
Last scan:2 days ago Rescan
65 /100
aliyun-ai-guardrail
Install and configure Alibaba Cloud AI guardrail hook for LLM security
Skill collects Alibaba Cloud credentials and sends user message content to an undeclared Chinese cloud endpoint via global fetch interception, with significant doc-to-code mismatch.
Skill Namealiyun-ai-guardrail
Duration46.5s
Enginepi
Use with caution
Do not install this skill until vendor verification. Request explicit disclosure of all network destinations and fetch interception behavior. Consider self-hosted alternatives for AI safety guardrails.

Attack Chain 4 steps

Escalation User installs skill via openclaw
SKILL.md:11
Escalation Skill copies hook to temp dir and runs npm install
SKILL.md:12
Escalation Hook registers on agent:bootstrap event and patches globalThis.fetch
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133
Escalation User message content (up to 2000 chars) intercepted and sent to green-cip.cn-beijing.aliyuncs.com
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43

Findings 5 items

Severity Finding Location
High
Global fetch interception not declared
The handler.ts globally patches globalThis.fetch to intercept all HTTP requests. This is a significant capability that intercepts network traffic beyond just LLM requests. SKILL.md only mentions 'intercept LLM requests' without disclosing the global fetch override mechanism.
globalThis.fetch = patchedFetch;
→ Disclose global fetch patching in SKILL.md or refactor to use a more targeted interception method
 assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133
High
Undeclared network destination
SKILL.md does not mention the Alibaba Cloud endpoint (green-cip.cn-beijing.aliyuncs.com). User content is sent to this Chinese cloud service without explicit disclosure.
config.endpoint = `green-cip.cn-beijing.aliyuncs.com`;
→ Add explicit documentation of all external API endpoints in SKILL.md
 assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:10
High
User content exfiltration to foreign jurisdiction
Up to 2000 characters of user message content is sent to Alibaba Cloud in China. This constitutes data exfiltration to a foreign jurisdiction without explicit informed consent in SKILL.md.
body['ServiceParameters'] = JSON.stringify({ content: content.slice(0, 2000) });
→ Obtain explicit user consent for data transmission to Alibaba Cloud; add data retention policy disclosure
 assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43
Medium
Credential harvesting pattern
The skill prompts users for Alibaba Cloud AccessKey ID and Secret and stores them in openclaw.json. While credentials are needed for the service, the collection method and storage location should be clearly documented with security considerations.
Ask the user for their Alibaba Cloud AccessKey ID and AccessKey Secret
→ Add guidance about credential security and consider recommending least-privilege IAM roles
 SKILL.md:27
Low
Unpinned dependency version
@alicloud/openapi-client uses caret version range (^0.4.12), allowing minor/patch updates
"@alicloud/openapi-client": "^0.4.12"
→ Pin exact versions for reproducible builds and supply chain security
 assets/aliyun-ai-guardrail/package.json:11
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✗ Violation SKILL.md step 1: 'cp -r' copies hook files; npm install modifies node_modules
Network NONE WRITE ✗ Violation handler.ts:133 - globalThis.fetch = patchedFetch; sends to green-cip.cn-beijing.…
Environment NONE WRITE ✗ Violation SKILL.md step 3: writes AKSK to openclaw.json env block
Shell NONE WRITE ✓ Aligned SKILL.md step 1: openclaw hooks install command execution implied

File Tree

6 files · 10.7 KB · 282 lines
TypeScript 1f · 170L Markdown 3f · 77L Text 1f · 20L JSON 1f · 15L
├─ 📁 assets
│ └─ 📁 aliyun-ai-guardrail
│ ├─ 📁 hooks
│ │ └─ 📁 aliyun-ai-guardrail
│ │ ├─ 📜 handler.ts TypeScript 170L · 6.2 KB
│ │ └─ 📝 HOOK.md Markdown 8L · 330 B
│ └─ 📋 package.json JSON 15L · 306 B
├─ 📄 LICENSE.txt Text 20L · 1.1 KB
├─ 📝 README.md Markdown 23L · 1.0 KB
└─ 📝 SKILL.md Markdown 46L · 1.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@alicloud/openapi-client ^0.4.12 npm No Version not pinned; allows updates

Security Positives

✓ MIT License with clear copyright
✓ Detection results are cached to minimize API calls
✓ 1-second timeout on API calls with pass-through on failure
✓ No evidence of credential exfiltration (credentials stay local)