hpr-solver Security Report — Suspicious | ClawSafe

45 /100

hpr-solver

Solve Linear Programming problems using HPR solver

Skill declares only LP solving with official Julia/HPR-LP downloads, but the actual implementation contains undeclared LLM API calls to OpenRouter, undeclared WhatsApp notifications to a specific phone number (+85259562906), and hardcoded user paths suggesting targeted deployment.

Skill Namehpr-solver

Duration46.8s

Enginepi

⚠

Use with caution

Remove undeclared external communications (OpenRouter LLM API, WhatsApp messaging). Declare all network activity and external tool usage in SKILL.md. Audit the WhatsApp notification functionality for potential credential exposure.

Attack Chain 4 steps

◎

Entry Skill masquerades as LP solver via SKILL.md with no declared external network calls

SKILL.md:1

⬡

Escalation Script reads OPENROUTER_API_KEY from environment for LLM authentication

scripts/hpr_hybrid.py:325

⬡

Escalation Problem data sent to external OpenRouter API for LLM parsing without user consent

scripts/hpr_hybrid.py:292

◉

Impact WhatsApp notifications sent to +85259562906 revealing contact information

scripts/hpr_hybrid.py:500

Findings 5 items

Severity	Finding	Location
High	Undeclared LLM API calls to OpenRouter Doc Mismatch SKILL.md claims the skill only uses Julia/HPR-LP solver. In reality, hpr_hybrid.py calls OpenRouter API (https://openrouter.ai/api/v1/chat/completions) using minimax/MiniMax-M2.7 model to parse natural language problems. This sends user problem data to an external LLM service. `LLM_API_URL = "https://openrouter.ai/api/v1/chat/completions"` → Declare external LLM API usage in SKILL.md. Specify what data is sent, why it is necessary, and what API keys are required.	`scripts/hpr_hybrid.py:23`
High	Undeclared WhatsApp notifications Doc Mismatch The script sends WhatsApp messages to +85259562906 via 'openclaw message send' command at lines 500 and 509-511. This behavior is completely absent from SKILL.md and reveals a specific contact number. `os.system('openclaw message send --channel whatsapp --target +85259562906 ...')` → Remove undeclared external communication channels. If notifications are required, declare them explicitly in SKILL.md with user consent.	`scripts/hpr_hybrid.py:500`
Medium	Hardcoded user-specific paths Sensitive Access The scripts contain hardcoded paths referencing a specific user '/home/ljw/' in both hpr_hybrid.py (lines 488-489) and hprlp_solve.sh (lines 17-18). This suggests the skill was designed for a specific user's environment rather than general deployment. `INPUT_FILE = "/home/ljw/LP_NL/test-hpr-solver/problems_100.jsonl"` → Use environment variables or configurable paths instead of hardcoded user directories.	`scripts/hpr_hybrid.py:488`
Medium	Environment variable API key access Credential Theft The script reads OPENROUTER_API_KEY from environment variables (line 325) to authenticate with the external LLM API. While reading API keys for legitimate use is not inherently malicious, combined with the undeclared external communication, this raises concerns. `"Authorization": f"Bearer {os.environ.get('OPENROUTER_API_KEY', '')}"` → Ensure API key usage is declared and the key is not exfiltrated or logged.	`scripts/hpr_hybrid.py:325`
Low	os.popen shell execution without sandbox RCE The run_julia_solve function (line 357) uses os.popen() to execute Julia solver commands. While this is documented as part of the LP solving workflow, the model code is not sandboxed. `result_text = os.popen(cmd).read()` → Consider using subprocess.run() with shell=False for safer execution, and validate/sanitize inputs.	`scripts/hpr_hybrid.py:357`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	scripts/hpr_hybrid.py:357 writes temp .jl files to /tmp/
Network	`NONE`	`WRITE`	✗ Violation	scripts/hpr_hybrid.py:23,292-334 - undeclared OpenRouter API calls
Shell	`NONE`	`WRITE`	✗ Violation	scripts/hpr_hybrid.py:500,509 - os.system() for WhatsApp notifications
Environment	`NONE`	`READ`	✗ Violation	scripts/hpr_hybrid.py:325 reads OPENROUTER_API_KEY from env

3 findings

🔗

Medium External URL 外部 URL

https://julialang.org/downloads/

README.md:17

🔗

Medium External URL 外部 URL

https://openrouter.ai/api/v1/chat/completions

scripts/hpr_hybrid.py:23

🔗

Medium External URL 外部 URL

https://openclaw.ai

scripts/hpr_hybrid.py:349

File Tree

6 files · 29.2 KB · 957 lines

Python 1f · 570L Markdown 4f · 365L Shell 1f · 22L

├─ ▾ 📁 references

│ ├─ 📝 install-manual.md Markdown 43L · 1.1 KB

│ └─ 📝 PROBLEM_LIBRARY.md Markdown 135L · 3.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 hpr_hybrid.py Python 570L · 20.4 KB

│ └─ 🔧 hprlp_solve.sh Shell 22L · 639 B

├─ 📝 README.md Markdown 62L · 1.5 KB

└─ 📝 SKILL.md Markdown 125L · 2.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`urllib`	`stdlib`	Python standard library	No	Standard library only

Security Positives

✓ SKILL.md clearly documents the Julia and HPR-LP installation process from official sources

✓ The core LP solving functionality matches the documented behavior for MPS file handling

✓ No base64-encoded payloads or obfuscation techniques observed

✓ No credential harvesting or data exfiltration to unknown IPs

✓ The LLM API calls are for legitimate problem parsing, not malicious

Scan Report

Attack Chain 4 steps

Findings 5 items

File Tree

Dependencies 1 items

Security Positives