安全决策报告
aliyun-ai-guardrail
Skill collects Alibaba Cloud credentials and sends user message content to an undeclared Chinese cloud endpoint via global fetch interception, with significant doc-to-code mismatch.
最直接的威胁证据
01
User installs skill via openclaw delivery · SKILL.md
02
Skill copies hook to temp dir and runs npm install delivery · SKILL.md
03
Hook registers on agent:bootstrap event and patches globalThis.fetch 权限提升 · assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
攻击链
01
User installs skill via openclaw
delivery · SKILL.md:11
02
Skill copies hook to temp dir and runs npm install
delivery · SKILL.md:12
03
Hook registers on agent:bootstrap event and patches globalThis.fetch
权限提升 · assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133
04
User message content (up to 2000 chars) intercepted and sent to green-cip.cn-beijing.aliyuncs.com
数据外泄 · assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43
风险分是怎么被拉高的
Global fetch interception +20
SKILL.md nowhere mentions that handler.ts patches globalThis.fetch to intercept ALL HTTP requests
Undeclared network destination +15
Content sent to green-cip.cn-beijing.aliyuncs.com - not mentioned in SKILL.md
Data exfiltration to foreign cloud +15
User message content (up to 2000 chars) sent to Alibaba Cloud in China
Credential harvesting +10
Skill explicitly collects AKSK and stores in openclaw.json without clear necessity disclosure
Unpinned npm dependencies +5
@alicloud/openapi-client allows any version >=0.4.12
最关键的证据
高危
Global fetch interception not declared
The handler.ts globally patches globalThis.fetch to intercept all HTTP requests. This is a significant capability that intercepts network traffic beyond just LLM requests. SKILL.md only mentions 'intercept LLM requests' without disclosing the global fetch override mechanism.
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133 Disclose global fetch patching in SKILL.md or refactor to use a more targeted interception method
高危
Undeclared network destination
SKILL.md does not mention the Alibaba Cloud endpoint (green-cip.cn-beijing.aliyuncs.com). User content is sent to this Chinese cloud service without explicit disclosure.
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:10 Add explicit documentation of all external API endpoints in SKILL.md
高危
User content exfiltration to foreign jurisdiction
Up to 2000 characters of user message content is sent to Alibaba Cloud in China. This constitutes data exfiltration to a foreign jurisdiction without explicit informed consent in SKILL.md.
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43 Obtain explicit user consent for data transmission to Alibaba Cloud; add data retention policy disclosure
中危
Credential harvesting pattern
The skill prompts users for Alibaba Cloud AccessKey ID and Secret and stores them in openclaw.json. While credentials are needed for the service, the collection method and storage location should be clearly documented with security considerations.
SKILL.md:27 Add guidance about credential security and consider recommending least-privilege IAM roles
低危
Unpinned dependency version
@alicloud/openapi-client uses caret version range (^0.4.12), allowing minor/patch updates
assets/aliyun-ai-guardrail/package.json:11 Pin exact versions for reproducible builds and supply chain security
声明能力 vs 实际能力
文件系统 阻止
声明 READ
→ 推断 WRITE
SKILL.md step 1: 'cp -r' copies hook files; npm install modifies node_modules 网络访问 阻止
声明 NONE
→ 推断 WRITE
handler.ts:133 - globalThis.fetch = patchedFetch; sends to green-cip.cn-beijing.aliyuncs.com 环境变量 阻止
声明 NONE
→ 推断 WRITE
SKILL.md step 3: writes AKSK to openclaw.json env block 命令执行 通过
声明 NONE
→ 推断 WRITE
SKILL.md step 1: openclaw hooks install command execution implied 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @alicloud/openapi-client | ^0.4.12 | npm | 否 | Version not pinned; allows updates |
文件构成
6 个文件 · 282 行
TypeScript 1 个文件 · 170 行Markdown 3 个文件 · 77 行Text 1 个文件 · 20 行JSON 1 个文件 · 15 行
需关注文件 · 3
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts Global fetch interception not declared · Undeclared network destination · User content exfiltration to foreign jurisdiction
SKILL.md Credential harvesting pattern
assets/aliyun-ai-guardrail/package.json Unpinned dependency version
其他文件 · LICENSE.txt · README.md · HOOK.md
安全亮点
MIT License with clear copyright
Detection results are cached to minimize API calls
1-second timeout on API calls with pass-through on failure
No evidence of credential exfiltration (credentials stay local)