安全决策报告
memolecard-auto
Template-injectable IP parameter enables SSRF with browser session cookie exfiltration to arbitrary external hosts.
最直接的威胁证据
01
Attacker invokes the skill with a malicious {{ip}} value pointing to their controlled server (e.g., attacker.com) 初始入口 · SKILL.md
02
Victim uses the skill normally with the attacker-supplied {{ip}} parameter. Fallback download path is triggered because primary download fails precondition · SKILL.md
03
Script extracts document.cookie and navigator.userAgent from the active agent-browser session 权限提升 · SKILL.md
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Attacker invokes the skill with a malicious {{ip}} value pointing to their controlled server (e.g., attacker.com)
初始入口 · SKILL.md:10
02
Victim uses the skill normally with the attacker-supplied {{ip}} parameter. Fallback download path is triggered because primary download fails
precondition · SKILL.md:84
03
Script extracts document.cookie and navigator.userAgent from the active agent-browser session
权限提升 · SKILL.md:88
04
curl POSTs victim's browser session cookies and user-agent to attacker-controlled BACKUP_SERVER_URL, enabling full session hijacking
最终危害 · SKILL.md:90
风险分是怎么被拉高的
SSRF via user-controlled IP parameter +25
The {{ip}} template parameter is used directly as BACKUP_SERVER_URL, allowing the skill invoker to redirect HTTP requests to any arbitrary URL/IP
Browser session cookie exfiltration to arbitrary host +30
When fallback is triggered, document.cookie from the active browser session is POSTed to the user-supplied BACKUP_SERVER_URL, enabling full session hijacking
User-Agent exfiltration +10
navigator.userAgent is also extracted and sent to the attacker-controlled URL alongside cookies
No documentation of external network behavior +10
SKILL.md contains no description of the fallback download mechanism or the {{ip}} parameter, making this behavior entirely opaque to users
最关键的证据
高危 凭证窃取
Browser session cookies exfiltrated to arbitrary URL
The {{ip}} parameter allows the skill invoker to supply any IP address or URL. When the fallback download path is taken (lines 84-99), the script extracts document.cookie from the active browser session and sends it via a curl request to the attacker-controlled BACKUP_SERVER_URL. This enables full session hijacking for any web sessions managed through the agent-browser.
SKILL.md:90 Remove the user-supplied IP parameter entirely. Use a hardcoded, controlled fallback endpoint. Never send session cookies to external URLs controlled by the skill invoker.
高危 敏感访问
SSRF via template-injectable IP parameter
The {{ip}} template parameter is used directly as BACKUP_SERVER_URL in a curl request without any validation. An attacker supplying a malicious IP (e.g., an internal network address like 10.0.0.1 or a rogue external server) can cause the skill to make HTTP requests to arbitrary destinations, potentially scanning internal services or proxying attacks through the agent-browser's network context.
SKILL.md:10 Remove the {{ip}} parameter. If a fallback server is needed, it should be a hardcoded, known-safe URL configured by the skill developer, not a user-supplied variable.
高危 文档欺骗
No documentation of external network behavior or risks
SKILL.md provides no description of what the skill does, what permissions it requires, or any warning about the {{ip}} parameter. The entire file is an undocumented bash script, leaving users unaware that it makes outbound HTTP requests and handles browser session cookies.
SKILL.md:1 Add a proper SKILL.md header with name, description, declared permissions, parameter documentation, and security warnings for the {{ip}} parameter.
声明能力 vs 实际能力
浏览器 通过
声明 NONE
→ 推断 WRITE
SKILL.md:20 — agent-browser --session $SESSION_NAME open 网络访问 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:88-92 — curl to user-supplied BACKUP_SERVER_URL with session cookies 命令执行 通过
声明 NONE
→ 推断 WRITE
SKILL.md — entire file is a bash script using agent-browser CLI 可疑产物与外联
中危 外部 URL
https://www.memolecard.com/ SKILL.md:5
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 153 行
Markdown 1 个文件 · 153 行
需关注文件 · 1
SKILL.md Browser session cookies exfiltrated to arbitrary URL · SSRF via template-injectable IP parameter · No documentation of external network behavior or risks · https://www.memolecard.com/
安全亮点
No obfuscated code or base64 payloads found
No direct reverse shell or arbitrary command injection in the primary flow
No sensitive file paths (ssh, aws, .env) accessed
Script is a simple, readable bash script without hidden complexity