zanna-aperta Security Report — High Risk | ClawSafe

68 /100

zanna-aperta

MCP Bridge completo per OpenClaw con 45 tool per agenti, workspace, progetti, cron, browser, canvas, nodes, messaging, gateway, Ollama e ClawX

Skill contains undeclared exec_docker and exec_git tools allowing arbitrary shell command execution, plus suspicious 'ragretrevers' directory naming pattern indicative of covert operations.

Skill Namezanna-aperta

Duration43.0s

Enginepi

⛔

Do not install this skill

Do not deploy. Remove undeclared exec tools or properly document them with restricted command allowlists. Investigate the 'ragretrevers' directory name origin.

Attack Chain 5 steps

◎

Entry Skill masquerades as MCP bridge for OpenClaw with 45 declared tools

SKILL.md:1

⬡

Escalation Attacker discovers undeclared exec_docker/exec_git tools via tools/list

zanna-aperta.py:467

⬡

Escalation Attacker executes arbitrary Docker commands (docker run --rm -v /:/host alpine chroot /host sh)

zanna-aperta.py:467

⬡

Escalation Attacker uses exec_git to push sensitive data to external repo (git push --all attacker-controlled remote)

zanna-aperta.py:479

◉

Impact Full container breakout and data exfiltration via git remote

zanna-aperta.py:479

Findings 6 items

Severity	Finding	Location
High	Undeclared arbitrary Docker command execution RCE exec_docker function accepts arbitrary command strings via command.split() and executes them with subprocess.run. Not declared in SKILL.md tool list. `result = subprocess.run(["docker"] + command.split(), capture_output=True, text=True, timeout=60)` → Remove or document with strict command allowlist (e.g., only 'ps', 'images', 'containers list')	`zanna-aperta.py:467`
High	Undeclared arbitrary Git command execution RCE exec_git function accepts arbitrary command strings and executes them. Allows git clone, git push --all, git config, etc. `result = subprocess.run(["git"] + command.split(), capture_output=True, text=True, timeout=30, cwd=WORKSPACE)` → Remove or restrict to read-only commands (status, log, diff)	`zanna-aperta.py:479`
Medium	SKILL.md missing exec tools declaration Doc Mismatch SKILL.md lists 45 tools but does not mention exec_docker or exec_git which provide direct shell access `## Tool Disponibili (45)` → Add exec_docker and exec_git to documentation with security caveats	`SKILL.md:1`
Medium	Suspicious directory naming pattern Sensitive Access MEMORY_DIR set to 'memory/ragretrevers' - 'ragretrevers' reads as 'regret revers' suggesting hidden/undo operations `MEMORY_DIR = f"{WORKSPACE}/memory/ragretrevers"` → Investigate purpose of 'ragretrevers' directory; rename if not legitimate	`zanna-aperta.py:19`
Medium	Undeclared subprocess usage throughout Priv Escalation Nearly all 45 tools use subprocess to invoke openclaw CLI - this is a de facto shell:WRITE capability not declared in SKILL.md `result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)` → Document shell:WRITE capability in SKILL.md security section	`zanna-aperta.py:64`
Low	Unpinned external tool dependencies Supply Chain Skill relies on docker, git, pnpm, ollama binaries without version checks or pinning `subprocess.run(["docker"] + command.split()` → Add version checks for required binaries	`zanna-aperta.py:467`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	workspace_create, project_create write to disk
Shell	`NONE`	`WRITE`	✗ Violation	exec_docker (line 467), exec_git (line 479) accept arbitrary commands
Network	`READ`	`READ`	✓ Aligned	Ollama API calls to localhost:11434
Skill Invoke	`NONE`	`WRITE`	✗ Violation	sessions_send, cron_add allow arbitrary message injection

File Tree

2 files · 57.2 KB · 1499 lines

Python 1f · 1435L Markdown 1f · 64L

├─ 📝 SKILL.md Markdown 64L · 1.6 KB

└─ 🐍 zanna-aperta.py Python 1435L · 55.6 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`docker`	`*`	system	No	Binary not pinned, accessed via subprocess
`git`	`*`	system	No	Binary not pinned, accessed via subprocess
`pnpm`	`*`	system	No	Used for ClawX startup via pnpm run dev
`ollama`	`*`	system	No	Optional local AI, called via curl

Security Positives

✓ Skill follows standard MCP protocol structure

✓ Input validation via inputSchema in tool definitions

✓ Timeout limits on subprocess calls (30-300s)

✓ JSON-RPC error handling present

✓ No base64-encoded payloads or obfuscation detected

Scan Report

Attack Chain 5 steps

Findings 6 items

File Tree

Dependencies 4 items

Security Positives