中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 65/100
上次扫描:2 天前 重新扫描
65 /100
aliyun-ai-guardrail
Install and configure Alibaba Cloud AI guardrail hook for LLM security
Skill collects Alibaba Cloud credentials and sends user message content to an undeclared Chinese cloud endpoint via global fetch interception, with significant doc-to-code mismatch.
技能名称aliyun-ai-guardrail
分析耗时46.5s
引擎pi
谨慎使用
Do not install this skill until vendor verification. Request explicit disclosure of all network destinations and fetch interception behavior. Consider self-hosted alternatives for AI safety guardrails.

攻击链 4 步

提权 User installs skill via openclaw
SKILL.md:11
提权 Skill copies hook to temp dir and runs npm install
SKILL.md:12
提权 Hook registers on agent:bootstrap event and patches globalThis.fetch
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133
提权 User message content (up to 2000 chars) intercepted and sent to green-cip.cn-beijing.aliyuncs.com
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43

安全发现 5 项

严重性 安全发现 位置
高危
Global fetch interception not declared
The handler.ts globally patches globalThis.fetch to intercept all HTTP requests. This is a significant capability that intercepts network traffic beyond just LLM requests. SKILL.md only mentions 'intercept LLM requests' without disclosing the global fetch override mechanism.
globalThis.fetch = patchedFetch;
→ Disclose global fetch patching in SKILL.md or refactor to use a more targeted interception method
 assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133
高危
Undeclared network destination
SKILL.md does not mention the Alibaba Cloud endpoint (green-cip.cn-beijing.aliyuncs.com). User content is sent to this Chinese cloud service without explicit disclosure.
config.endpoint = `green-cip.cn-beijing.aliyuncs.com`;
→ Add explicit documentation of all external API endpoints in SKILL.md
 assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:10
高危
User content exfiltration to foreign jurisdiction
Up to 2000 characters of user message content is sent to Alibaba Cloud in China. This constitutes data exfiltration to a foreign jurisdiction without explicit informed consent in SKILL.md.
body['ServiceParameters'] = JSON.stringify({ content: content.slice(0, 2000) });
→ Obtain explicit user consent for data transmission to Alibaba Cloud; add data retention policy disclosure
 assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43
中危
Credential harvesting pattern
The skill prompts users for Alibaba Cloud AccessKey ID and Secret and stores them in openclaw.json. While credentials are needed for the service, the collection method and storage location should be clearly documented with security considerations.
Ask the user for their Alibaba Cloud AccessKey ID and AccessKey Secret
→ Add guidance about credential security and consider recommending least-privilege IAM roles
 SKILL.md:27
低危
Unpinned dependency version
@alicloud/openapi-client uses caret version range (^0.4.12), allowing minor/patch updates
"@alicloud/openapi-client": "^0.4.12"
→ Pin exact versions for reproducible builds and supply chain security
 assets/aliyun-ai-guardrail/package.json:11
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✗ 越权 SKILL.md step 1: 'cp -r' copies hook files; npm install modifies node_modules
网络访问 NONE WRITE ✗ 越权 handler.ts:133 - globalThis.fetch = patchedFetch; sends to green-cip.cn-beijing.…
环境变量 NONE WRITE ✗ 越权 SKILL.md step 3: writes AKSK to openclaw.json env block
命令执行 NONE WRITE ✓ 一致 SKILL.md step 1: openclaw hooks install command execution implied

目录结构

6 文件 · 10.7 KB · 282 行
TypeScript 1f · 170L Markdown 3f · 77L Text 1f · 20L JSON 1f · 15L
├─ 📁 assets
│ └─ 📁 aliyun-ai-guardrail
│ ├─ 📁 hooks
│ │ └─ 📁 aliyun-ai-guardrail
│ │ ├─ 📜 handler.ts TypeScript 170L · 6.2 KB
│ │ └─ 📝 HOOK.md Markdown 8L · 330 B
│ └─ 📋 package.json JSON 15L · 306 B
├─ 📄 LICENSE.txt Text 20L · 1.1 KB
├─ 📝 README.md Markdown 23L · 1.0 KB
└─ 📝 SKILL.md Markdown 46L · 1.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@alicloud/openapi-client ^0.4.12 npm Version not pinned; allows updates

安全亮点

✓ MIT License with clear copyright
✓ Detection results are cached to minimize API calls
✓ 1-second timeout on API calls with pass-through on failure
✓ No evidence of credential exfiltration (credentials stay local)