Skill Trust Decision
ekybot-connector
Skill 声称「本地运行无远程代码执行」,但实际通过 execSync 修改 OpenClaw 配置、创建 workspace 文件、安装系统服务。SKILL.md 声称「不发送对话内容」,但 poll-ekybot.js 实际将消息内容 POST 到外部 API。存在文档-行为严重不符的阴影功能。
Most direct threat evidence
01
用户安装 ekybot-connector skill Entry · SKILL.md
02
execSync执行openclaw CLI命令修改配置 Escalation · scripts/ekybot-agent-sync.js
03
创建workspace目录和文件到~/.openclaw/ Escalation · scripts/setup_communication.sh
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
23 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
用户安装 ekybot-connector skill
Entry · SKILL.md:1
02
execSync执行openclaw CLI命令修改配置
Escalation · scripts/ekybot-agent-sync.js:99
03
创建workspace目录和文件到~/.openclaw/
Escalation · scripts/setup_communication.sh:133
04
安装systemd/LaunchAgent系统服务实现持久化
Escalation · scripts/install-poller.sh:68
05
消息内容通过POST外传到Ekybot API
Impact · scripts/poll-ekybot.js:157
What drove the risk score up
文档欺骗 +20
SKILL.md声称「无远程代码执行」但代码通过execSync修改系统配置
阴影功能 +15
未声明的workspace文件创建、服务安装、gateway重启操作
敏感凭证暴露 +10
AGENT_TOKEN硬编码在源码中(dd9fa892b8cd30b5...)
数据外传声明不符 +10
SKILL.md声称不发送对话内容,但实际转发消息内容到外部API
Most important evidence
High Doc Mismatch
文档声明与实际能力严重不符
SKILL.md声称「Runs locally on your machine — no remote code execution」,但代码中多处使用 execSync 执行 openclaw CLI 命令,包括 config set、gateway restart 等系统修改操作。
SKILL.md:104-108:104 更新文档明确声明需要 filesystem:WRITE 和 shell:WRITE 权限,或移除执行系统命令的代码路径
High Doc Mismatch
声称不发送对话内容但实际外传
SKILL.md声称「What is never sent: Actual conversation content or prompts」,但 poll-ekybot.js 会将消息内容通过 forwardToGateway 函数转发到 Ekybot API。
scripts/poll-ekybot.js:95-98:95 更新隐私声明或移除消息内容转发功能
Medium Credential Theft
硬编码 API Token 在源码中
poll-ekybot.js 和 ekybot-agent-sync.js 中硬编码了 AGENT_TOKEN,可能导致凭证泄露风险。
scripts/poll-ekybot.js:14:14 将 Token 移到配置文件或环境变量,避免硬编码
Medium Priv Escalation
未声明的系统服务安装
install-poller.sh 会创建 systemd service 或 LaunchAgent,属于高权限系统级修改,未在 SKILL.md 中声明。
scripts/install-poller.sh:68-95:68 在文档中明确声明需要安装系统服务,或改为用户手动安装
Medium Doc Mismatch
未声明的配置文件写入
setup_communication.sh 会创建 SOUL.md、AGENTS.md、INTER-AGENT-PROTOCOL.md 等文件,并修改 ~/.openclaw/openclaw.json,未在声明中提及。
scripts/setup_communication.sh:133-210:133 在文档中声明会创建和修改的配置文件列表
Low Sensitive Access
收集系统指纹信息
send_telemetry.sh 收集 hostname、platform、CPU usage 等系统信息并上传。
scripts/send_telemetry.sh:108-123:108 明确告知用户收集哪些系统信息
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/ekybot-agent-sync.js:96 创建workspace目录 Shell Block
Declared NONE
→ Inferred WRITE
scripts/ekybot-agent-sync.js:9 使用execSync执行openclaw CLI Environment Block
Declared NONE
→ Inferred READ
scripts/send_telemetry.sh:108 收集hostname/platform等系统信息 Network Block
Declared READ
→ Inferred WRITE
scripts/poll-ekybot.js:157 将消息POST到Ekybot API Suspicious artifacts and egress
Medium External URL
https://www.ekybot.com SKILL.md:10
Medium External URL
https://www.ekybot.com/companion SKILL.md:51
Medium External URL
https://nodejs.org install.sh:29
Medium External URL
https://docs.openclaw.ai install.sh:35
Medium External URL
https://clawhub.ai/regiomag/ekybot-connector install.sh:139
Medium External URL
https://discord.com/invite/clawd install.sh:140
Medium External URL
https://www.ekybot.com/api references/api.md:8
Medium External URL
https://www.ekybot.com/api/workspaces/register references/api.md:246
Medium External URL
https://www.ekybot.com/api/workspaces/ws_123/health references/api.md:257
Medium External URL
https://www.ekybot.com/api/workspaces/ws_123/telemetry references/api.md:264
Medium External URL
https://my-gateway.example.com references/api.md:452
Medium External URL
https://www.ekybot.com/api/channels references/api.md:456
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| node-fetch | ^3.3.2 | npm | No | 使用fetch而非XMLHttpRequest,符合现代安全实践 |
| ws | ^8.14.2 | npm | No | WebSocket库 |
| dotenv | ^16.3.1 | npm | No | 环境变量加载库 |
| chalk | ^4.1.2 | npm | No | 终端颜色输出库 |
File composition
19 files · 3951 lines
Shell 9 files · 2013 linesMarkdown 5 files · 1366 linesJavaScript 2 files · 498 linesJSON 3 files · 74 lines
Files of concern · 8
scripts/setup_communication.sh https://ekybot.com
references/api.md https://www.ekybot.com/api · https://www.ekybot.com/api/workspaces/register · https://www.ekybot.com/api/workspaces/ws_123/health · https://www.ekybot.com/api/workspaces/ws_123/telemetry · https://my-gateway.example.com · https://www.ekybot.com/api/channels · https://www.ekybot.com/api/messages
scripts/poll-ekybot.js http://127.0.0.1:18789
references/troubleshooting.md https://www.ekybot.com/api/workspaces/YOUR_ID/health · https://www.ekybot.com/api/workspaces/YOUR_ID/telemetry · [email protected]
scripts/validate_setup.sh https://www.ekybot.com/api/workspaces/$workspace_id/health
scripts/send_telemetry.sh https://www.ekybot.com/api/workspaces/$WORKSPACE_ID/telemetry
SKILL.md https://www.ekybot.com · https://www.ekybot.com/companion
scripts/install-poller.sh http://www.apple.com/DTDs/PropertyList-1.0.dtd · https://www.ekybot.com/api/agents
Other files · ekybot-agent-sync.js · start_telemetry.sh · INTER-AGENT-PROTOCOL.md · health_check.sh
Security positives
代码结构清晰,主要功能是合法的代理-云端通信桥接
使用 HTTPS 进行网络通信
配置文件使用 chmod 600 保护 API key
有健康检查和验证脚本
支持卸载功能