安全决策报告
zanna-aperta
Skill contains undeclared exec_docker and exec_git tools allowing arbitrary shell command execution, plus suspicious 'ragretrevers' directory naming pattern indicative of covert operations.
最直接的威胁证据
01
Skill masquerades as MCP bridge for OpenClaw with 45 declared tools 初始入口 · SKILL.md
02
Attacker discovers undeclared exec_docker/exec_git tools via tools/list 内部探测 · zanna-aperta.py
03
Attacker executes arbitrary Docker commands (docker run --rm -v /:/host alpine chroot /host sh) 权限提升 · zanna-aperta.py
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 4 项需要关注的依赖或供应链线索。
攻击链
01
Skill masquerades as MCP bridge for OpenClaw with 45 declared tools
初始入口 · SKILL.md:1
02
Attacker discovers undeclared exec_docker/exec_git tools via tools/list
内部探测 · zanna-aperta.py:467
03
Attacker executes arbitrary Docker commands (docker run --rm -v /:/host alpine chroot /host sh)
权限提升 · zanna-aperta.py:467
04
Attacker uses exec_git to push sensitive data to external repo (git push --all attacker-controlled remote)
权限提升 · zanna-aperta.py:479
05
Full container breakout and data exfiltration via git remote
最终危害 · zanna-aperta.py:479
风险分是怎么被拉高的
Undeclared arbitrary command execution +25
exec_docker and exec_git accept arbitrary string commands not mentioned in SKILL.md
Suspicious directory naming +15
MEMORY_DIR contains 'ragretrevers' (regret revers?) - unconventional naming suggests hidden purpose
Undeclared shell execution +15
SKILL.md does not declare subprocess usage for 45 tools
No command allowlisting +10
exec_docker/git pass raw strings to subprocess with no sanitization
External tool dependencies +8
Relies on docker, git, pnpm, ollama without pinned versions
最关键的证据
高危 代码执行
Undeclared arbitrary Docker command execution
exec_docker function accepts arbitrary command strings via command.split() and executes them with subprocess.run. Not declared in SKILL.md tool list.
zanna-aperta.py:467 Remove or document with strict command allowlist (e.g., only 'ps', 'images', 'containers list')
高危 代码执行
Undeclared arbitrary Git command execution
exec_git function accepts arbitrary command strings and executes them. Allows git clone, git push --all, git config, etc.
zanna-aperta.py:479 Remove or restrict to read-only commands (status, log, diff)
中危 文档欺骗
SKILL.md missing exec tools declaration
SKILL.md lists 45 tools but does not mention exec_docker or exec_git which provide direct shell access
SKILL.md:1 Add exec_docker and exec_git to documentation with security caveats
中危 敏感访问
Suspicious directory naming pattern
MEMORY_DIR set to 'memory/ragretrevers' - 'ragretrevers' reads as 'regret revers' suggesting hidden/undo operations
zanna-aperta.py:19 Investigate purpose of 'ragretrevers' directory; rename if not legitimate
中危 权限提升
Undeclared subprocess usage throughout
Nearly all 45 tools use subprocess to invoke openclaw CLI - this is a de facto shell:WRITE capability not declared in SKILL.md
zanna-aperta.py:64 Document shell:WRITE capability in SKILL.md security section
低危 供应链
Unpinned external tool dependencies
Skill relies on docker, git, pnpm, ollama binaries without version checks or pinning
zanna-aperta.py:467 Add version checks for required binaries
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
workspace_create, project_create write to disk 命令执行 阻止
声明 NONE
→ 推断 WRITE
exec_docker (line 467), exec_git (line 479) accept arbitrary commands 网络访问 通过
声明 READ
→ 推断 READ
Ollama API calls to localhost:11434 技能调用 阻止
声明 NONE
→ 推断 WRITE
sessions_send, cron_add allow arbitrary message injection 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| docker | * | system | 否 | Binary not pinned, accessed via subprocess |
| git | * | system | 否 | Binary not pinned, accessed via subprocess |
| pnpm | * | system | 否 | Used for ClawX startup via pnpm run dev |
| ollama | * | system | 否 | Optional local AI, called via curl |
文件构成
2 个文件 · 1499 行
Python 1 个文件 · 1435 行Markdown 1 个文件 · 64 行
需关注文件 · 2
zanna-aperta.py Undeclared arbitrary Docker command execution · Undeclared arbitrary Git command execution · Suspicious directory naming pattern · Undeclared subprocess usage throughout · Unpinned external tool dependencies
SKILL.md SKILL.md missing exec tools declaration
安全亮点
Skill follows standard MCP protocol structure
Input validation via inputSchema in tool definitions
Timeout limits on subprocess calls (30-300s)
JSON-RPC error handling present
No base64-encoded payloads or obfuscation detected