安全决策报告
research-archive-query
Skill is a legitimate research archive query tool but has a significant doc-to-code mismatch: SKILL.md does not declare that it uses shell:WRITE via subprocess to invoke external scripts, and it depends on unsandboxed external scripts outside its own codebase.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared shell execution via subprocess +20
SKILL.md declares only filesystem:READ for output but code uses subprocess to invoke external scripts in unified_query.py, registry.py, and publish_skill.py
Dynamic import of external scripts without verification +10
Code imports from alphapai-scraper scripts via dynamic WORKSPACE_ROOT path, no integrity checks
Hardcoded external script paths +8
ALPHAPAI_QUERY_SCRIPT and KB_ENGINE_SCRIPT point to unsandboxed external scripts that could contain arbitrary code
No dependency pinning +5
No requirements.txt or pinned dependencies found
Legitimate tool design with benign intent +-10
No credential theft, data exfiltration to external IPs, or obfuscation observed
最关键的证据
中危 文档欺骗
Undeclared subprocess/shell execution
SKILL.md does not declare shell:WRITE capability. The skill uses subprocess.run() in unified_query.py (line 76), registry.py (via adapter commands), and publish_skill.py (line 58) to execute external CLI tools. This is a doc-to-code mismatch.
scripts/unified_query.py:76 Update SKILL.md to explicitly declare shell:WRITE for subprocess execution of archive query scripts.
中危 供应链
Dynamic import from external workspace scripts
The skill imports run_ai_analysis and load_settings from alphapai-scraper scripts via dynamic path calculation (WORKSPACE_ROOT / 'skills/alphapai-scraper/scripts'). These external scripts are not bundled or verified.
scripts/unified_query.py:29 Either bundle required functions or verify script integrity before importing. Document the external dependency on alphapai-scraper.
中危 文档欺骗
Hardcoded external script paths with no integrity verification
registry.py hardcodes paths to ALPHAPAI_QUERY_SCRIPT and KB_ENGINE_SCRIPT pointing to scripts outside the skill's control. No checks verify these scripts haven't been tampered with.
scripts/registry.py:14 Add path existence checks or hash verification before executing external scripts.
低危 供应链
No dependency pinning
No requirements.txt, package.json, or Cargo.toml found. Python stdlib is used directly but third-party libraries like json, subprocess, pathlib are all built-in.
scripts/unified_query.py:1 Create a requirements.txt or pyproject.toml to pin any third-party dependencies.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/unified_query.py:29 - subprocess.run() 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/registry.py:47 - subprocess via build_exact_command() 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/publish_skill.py:58 - subprocess.run(clawhub) 文件系统 通过
声明 WRITE
→ 推断 WRITE
scripts/unified_query.py:59 - Path.write_text() for reports 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
7 个文件 · 849 行
Python 5 个文件 · 754 行Markdown 1 个文件 · 88 行YAML 1 个文件 · 7 行
需关注文件 · 2
scripts/unified_query.py Undeclared subprocess/shell execution · Dynamic import from external workspace scripts · No dependency pinning
scripts/registry.py Hardcoded external script paths with no integrity verification
其他文件 · adapter_template.py · publish_skill.py · SKILL.md · package_skill.py · openai.yaml
安全亮点
No credential harvesting or sensitive path access observed
No base64 encoding, eval(), or obfuscation detected
No curl|bash or wget|sh remote script execution
No direct IP network requests or C2 communication
No hidden instructions in HTML comments or documentation
File writes are limited to a controlled output directory in ~/.openclaw/data/
subprocess is used for legitimate CLI tool invocation (alphapai-scraper, kb_engine, clawhub)