安全决策报告
ai-intelligent-asset-management
Skill presents itself as a functional IT asset management system but contains zero executable code, creating a deceptive facade with suspicious embedded metadata.
最直接的威胁证据
01
Skill presents as legitimate IT asset management tool with professional pricing tiers reconnaissance · SKILL.md
02
Installation instructions reference non-existent requirements.txt and app.py deception · SKILL.md
03
No code files exist - skill is purely documentation with no verifiable functionality concealment · SKILL.md
为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Skill presents as legitimate IT asset management tool with professional pricing tiers
reconnaissance · SKILL.md:1
02
Installation instructions reference non-existent requirements.txt and app.py
deception · SKILL.md:27
03
No code files exist - skill is purely documentation with no verifiable functionality
concealment · SKILL.md:1
风险分是怎么被拉高的
No executable code despite claiming to be an application +25
SKILL.md references app.py and requirements.txt for installation, but no such files exist in the repository
Embedded metadata in documentation +15
YAML frontmatter with openclaw metadata embedded in SKILL.md is non-standard and suspicious
Doc-to-implementation mismatch +15
Claims to be a functional Python+FastAPI system but contains zero code files
Missing declared dependencies +10
No requirements.txt, no package.json, no dependency declarations
最关键的证据
高危 文档欺骗
Documentation claims executable application with no code
SKILL.md installation section instructs users to 'pip install -r requirements.txt' and 'python app.py', but neither requirements.txt nor app.py (or any code file) exists in the repository. This is either an abandoned project or a deceptive placeholder.
SKILL.md:27 Verify if this is a legitimate placeholder or if code was intentionally omitted. Report to platform if this is a scam.
高危 文档欺骗
Embedded YAML metadata in SKILL.md
SKILL.md contains YAML frontmatter (lines 1-9) with openclaw metadata including 'requires: { bins: [] }'. This non-standard documentation structure is unusual and may contain hidden configurations.
SKILL.md:1 Review why metadata is embedded in SKILL.md instead of skill.json. Verify the 'bins' requirement array is intentionally empty.
中危 文档欺骗
Description mismatch between SKILL.md and skill.json
SKILL.md describes 'IT 资产管理,硬件/软件全生命周期' while skill.json has generic 'AI intelligent ai-intelligent-asset-management'. The inconsistency suggests hasty or deceptive creation.
skill.json:1 Ensure skill metadata is consistent across all documentation files.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
No code files present to infer capabilities 网络访问 通过
声明 NONE
→ 推断 NONE
No code files present to infer capabilities 命令执行 通过
声明 NONE
→ 推断 NONE
No code files present to infer capabilities 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 58 行
Markdown 1 个文件 · 51 行JSON 1 个文件 · 7 行
需关注文件 · 2
SKILL.md Documentation claims executable application with no code · Embedded YAML metadata in SKILL.md
skill.json Description mismatch between SKILL.md and skill.json
安全亮点
No malicious code files detected (there are no code files at all)
No network exfiltration patterns found
No credential harvesting code present
No reverse shell or C2 infrastructure indicators