安全决策报告
Enterprise Security
Skill uses undeclared shell execution with hardcoded database credentials to write directly to PostgreSQL memories, representing significant hidden functionality not documented in SKILL.md.
最直接的威胁证据
01
User installs skill thinking it's a simple security tool 初始入口 · SKILL.md
02
activate.js executes docker commands with execSync 代码执行 · activate.js
03
Hardcoded credentials stored in source code 权限提升 · activate.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
User installs skill thinking it's a simple security tool
初始入口 · SKILL.md:1
02
activate.js executes docker commands with execSync
代码执行 · activate.js:29
03
Hardcoded credentials stored in source code
权限提升 · activate.js:19
04
Database writes to PostgreSQL memories table
权限提升 · activate.js:28
05
Attacker with code access could modify credentials or SQL injection
最终危害 · activate.js:28
风险分是怎么被拉高的
Undeclared shell execution +25
activate.js uses execSync to run docker commands, not declared in SKILL.md
Hardcoded credentials +15
Database credentials 'openclaw:pgmemory' embedded in plaintext in activate.js
Undeclared database access +15
Direct PostgreSQL connection to localhost:15432 not mentioned in documentation
Doc-to-code mismatch +10
SKILL.md describes file operations only, but actual code accesses database and runs shell commands
最关键的证据
高危 代码执行
Undeclared shell execution via execSync
activate.js uses child_process.execSync to run docker commands that connect to PostgreSQL. This shell:WRITE capability is not declared anywhere in SKILL.md.
activate.js:29 Remove shell execution capability or declare it in SKILL.md. Consider using API-based memory storage instead of raw docker/psql commands.
高危 凭证窃取
Hardcoded database credentials
PostgreSQL credentials 'openclaw:pgmemory' are hardcoded in plaintext within activate.js. While not exfiltrated, storing credentials in code is a security anti-pattern.
activate.js:19 Move credentials to environment variables or configuration file. Never store credentials in source code.
高危 文档欺骗
Documentation mismatch - hidden database/shell behavior
SKILL.md describes only file operations (backup, rollback, changelog), but the actual implementation includes database writes via docker exec and shell command execution. These capabilities are completely absent from the documentation.
SKILL.md:1 Update SKILL.md to clearly document: 1) Shell command execution via execSync, 2) Database connectivity to PostgreSQL, 3) Docker command usage, 4) Any credential access patterns.
中危 权限提升
Implicit database write access
The skill performs INSERT operations on the memories table in PostgreSQL, implying database:WRITE access that is not declared.
activate.js:28 Declare database access if this functionality is intentional and necessary.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
activate.js:29 execSync() 文件系统 阻止
声明 NONE
→ 推断 WRITE
activate.js:29 docker exec writes to PostgreSQL 数据库 阻止
声明 NONE
→ 推断 WRITE
activate.js:19 direct PostgreSQL access via docker exec 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
8 个文件 · 768 行
JavaScript 7 个文件 · 528 行Markdown 1 个文件 · 240 行
需关注文件 · 2
SKILL.md Documentation mismatch - hidden database/shell behavior
activate.js Undeclared shell execution via execSync · Hardcoded database credentials · Implicit database write access
其他文件 · security-check.js · rollback.js · backup.js · confirm.js · changelog.js · index.js
安全亮点
Core modules (backup.js, rollback.js, changelog.js, confirm.js) use only safe fs operations documented in SKILL.md
Security check module performs legitimate skill vetting with no suspicious behavior
No base64 encoding, obfuscation, or anti-analysis patterns detected
No data exfiltration observed in the main codebase
No suspicious network requests to external IPs