安全决策报告
melo-tts-metadata-creator
Skill silently installs multiple undeclared Python packages (torch, whisper, audio-separator, librosa) and executes shell commands (nvidia-smi, pip install) without disclosure in SKILL.md documentation.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 5 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 7 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Doc deception - undeclared package installations +20
SKILL.md declares only 'python' as required but silently installs torch, torchaudio, whisper, audio-separator, librosa, pydub, huggingface-hub
Doc deception - undeclared subprocess execution +15
SKILL.md does not mention subprocess/shell usage. env_manager.py runs nvidia-smi and pip install commands
Undeclared network access +10
Downloads PyTorch wheels from pytorch.org and packages from pypi.tuna.tsinghua.edu.cn not mentioned in docs
Undeclared virtual environment creation +5
Creates venv directory and restarts script in venv without disclosure
最关键的证据
中危 文档欺骗
Undeclared silent package installation
SKILL.md metadata declares only 'python' as required bin, but generate_metadata_list.py:18-20 silently installs openai-whisper, torch, torchaudio via ensure_package.pip() without user consent or documentation.
scripts/generate_metadata_list.py:18 Document all required packages explicitly in SKILL.md or move installation to a documented pre-install step.
中危 文档欺骗
Undeclared subprocess shell execution
env_manager.py executes multiple shell commands via subprocess (nvidia-smi, pip install) to set up virtual environment and install dependencies. This is essential functionality not mentioned in SKILL.md.
scripts/env_manager.py:79 Document subprocess/shell usage and the virtual environment setup process in SKILL.md.
中危 文档欺骗
Undeclared extensive package dependencies
env_manager.py lines 188-194 install audio-separator, librosa, pydub, huggingface-hub[tqdm] - 4+ additional packages not declared anywhere.
scripts/env_manager.py:188 Document all dependencies or remove unnecessary packages.
低危 供应链
Unpinned package versions
All pip installs in ensure_package.py and env_manager.py use unpinned versions (*). This can lead to supply chain attacks via dependency confusion or typosquatting on future updates.
scripts/ensure_package.py:45 Pin package versions to known-good hashes or specific versions.
低危 文档欺骗
Undeclared network access for model downloads
Whisper model downloads to ./models/ directory (generate_metadata_list.py:47) and PyTorch wheels from external URLs (env_manager.py:148,161) are not disclosed.
scripts/generate_metadata_list.py:47 Document model download behavior and network usage.
声明能力 vs 实际能力
文件系统 阻止
声明 READ
→ 推断 WRITE
scripts/config.py:20 creates LOG_DIR.parent.mkdir 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/env_manager.py:79 subprocess.check_call pip install 网络访问 阻止
声明 NONE
→ 推断 READ
scripts/env_manager.py:148 downloads from pytorch.org 环境变量 阻止
声明 NONE
→ 推断 READ
scripts/env_manager.py:45 reads os.getenv(RUNNING_IN_VENV) 技能调用 阻止
声明 NONE
→ 推断 WRITE
scripts/generate_metadata_list.py:18 ensure_package.pip() auto-installs 可疑产物与外联
中危 外部 URL
https://pypi.tuna.tsinghua.edu.cn/simple scripts/ensure_package.py:50
中危 外部 URL
https://download.pytorch.org/whl/cpu scripts/env_manager.py:148
中危 外部 URL
https://download.pytorch.org/whl/ scripts/env_manager.py:161
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| openai-whisper | * | pip (auto-installed) | 否 | Silent installation at runtime, not declared in docs |
| torch | * | pip (auto-installed) | 否 | Downloaded from pytorch.org |
| torchaudio | * | pip (auto-installed) | 否 | Downloaded from pytorch.org |
| audio-separator | * | pip (auto-installed) | 否 | Installed in env_manager.py but not required for core functionality |
| librosa | * | pip (auto-installed) | 否 | Installed but not imported anywhere in the codebase |
| pydub | * | pip (auto-installed) | 否 | Installed but not imported anywhere in the codebase |
| huggingface-hub | * | pip (auto-installed) | 否 | Installed but not imported anywhere in the codebase |
文件构成
8 个文件 · 861 行
Python 5 个文件 · 567 行Markdown 2 个文件 · 254 行Ignore 1 个文件 · 40 行
需关注文件 · 3
scripts/env_manager.py Undeclared subprocess shell execution · Undeclared extensive package dependencies · https://download.pytorch.org/whl/cpu · https://download.pytorch.org/whl/
scripts/generate_metadata_list.py Undeclared silent package installation · Undeclared network access for model downloads
scripts/ensure_package.py Unpinned package versions · https://pypi.tuna.tsinghua.edu.cn/simple
其他文件 · README.md · logger_manager.py · SKILL.md · config.py · .gitignore
安全亮点
No evidence of credential theft or credential harvesting
No reverse shell or C2 communication patterns detected
No base64-encoded or obfuscated payloads
No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
No malicious persistence mechanisms (cron, startup hooks, backdoors)
Package installation uses reputable sources (pytorch.org, pypi.tuna.tsinghua.edu.cn)
Whisper transcription logic is legitimate and matches stated purpose
Virtual environment creation is a reasonable security practice for dependency isolation