hpr-solver 安全扫描报告 — 可疑 | ClawSafe

45 /100

hpr-solver

Solve Linear Programming problems using HPR solver

Skill declares only LP solving with official Julia/HPR-LP downloads, but the actual implementation contains undeclared LLM API calls to OpenRouter, undeclared WhatsApp notifications to a specific phone number (+85259562906), and hardcoded user paths suggesting targeted deployment.

技能名称hpr-solver

分析耗时46.8s

引擎pi

⚠

谨慎使用

Remove undeclared external communications (OpenRouter LLM API, WhatsApp messaging). Declare all network activity and external tool usage in SKILL.md. Audit the WhatsApp notification functionality for potential credential exposure.

攻击链 4 步

◎

入口 Skill masquerades as LP solver via SKILL.md with no declared external network calls

SKILL.md:1

⬡

提权 Script reads OPENROUTER_API_KEY from environment for LLM authentication

scripts/hpr_hybrid.py:325

⬡

提权 Problem data sent to external OpenRouter API for LLM parsing without user consent

scripts/hpr_hybrid.py:292

◉

影响 WhatsApp notifications sent to +85259562906 revealing contact information

scripts/hpr_hybrid.py:500

安全发现 5 项

严重性	安全发现	位置
高危	Undeclared LLM API calls to OpenRouter 文档欺骗 SKILL.md claims the skill only uses Julia/HPR-LP solver. In reality, hpr_hybrid.py calls OpenRouter API (https://openrouter.ai/api/v1/chat/completions) using minimax/MiniMax-M2.7 model to parse natural language problems. This sends user problem data to an external LLM service. `LLM_API_URL = "https://openrouter.ai/api/v1/chat/completions"` → Declare external LLM API usage in SKILL.md. Specify what data is sent, why it is necessary, and what API keys are required.	`scripts/hpr_hybrid.py:23`
高危	Undeclared WhatsApp notifications 文档欺骗 The script sends WhatsApp messages to +85259562906 via 'openclaw message send' command at lines 500 and 509-511. This behavior is completely absent from SKILL.md and reveals a specific contact number. `os.system('openclaw message send --channel whatsapp --target +85259562906 ...')` → Remove undeclared external communication channels. If notifications are required, declare them explicitly in SKILL.md with user consent.	`scripts/hpr_hybrid.py:500`
中危	Hardcoded user-specific paths 敏感访问 The scripts contain hardcoded paths referencing a specific user '/home/ljw/' in both hpr_hybrid.py (lines 488-489) and hprlp_solve.sh (lines 17-18). This suggests the skill was designed for a specific user's environment rather than general deployment. `INPUT_FILE = "/home/ljw/LP_NL/test-hpr-solver/problems_100.jsonl"` → Use environment variables or configurable paths instead of hardcoded user directories.	`scripts/hpr_hybrid.py:488`
中危	Environment variable API key access 凭证窃取 The script reads OPENROUTER_API_KEY from environment variables (line 325) to authenticate with the external LLM API. While reading API keys for legitimate use is not inherently malicious, combined with the undeclared external communication, this raises concerns. `"Authorization": f"Bearer {os.environ.get('OPENROUTER_API_KEY', '')}"` → Ensure API key usage is declared and the key is not exfiltrated or logged.	`scripts/hpr_hybrid.py:325`
低危	os.popen shell execution without sandbox 代码执行 The run_julia_solve function (line 357) uses os.popen() to execute Julia solver commands. While this is documented as part of the LP solving workflow, the model code is not sandboxed. `result_text = os.popen(cmd).read()` → Consider using subprocess.run() with shell=False for safer execution, and validate/sanitize inputs.	`scripts/hpr_hybrid.py:357`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	scripts/hpr_hybrid.py:357 writes temp .jl files to /tmp/
网络访问	`NONE`	`WRITE`	✗ 越权	scripts/hpr_hybrid.py:23,292-334 - undeclared OpenRouter API calls
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/hpr_hybrid.py:500,509 - os.system() for WhatsApp notifications
环境变量	`NONE`	`READ`	✗ 越权	scripts/hpr_hybrid.py:325 reads OPENROUTER_API_KEY from env

3 项发现

🔗

中危外部 URL 外部 URL

https://julialang.org/downloads/

README.md:17

🔗

中危外部 URL 外部 URL

https://openrouter.ai/api/v1/chat/completions

scripts/hpr_hybrid.py:23

🔗

中危外部 URL 外部 URL

https://openclaw.ai

scripts/hpr_hybrid.py:349

目录结构

6 文件 · 29.2 KB · 957 行

Python 1f · 570L Markdown 4f · 365L Shell 1f · 22L

├─ ▾ 📁 references

│ ├─ 📝 install-manual.md Markdown 43L · 1.1 KB

│ └─ 📝 PROBLEM_LIBRARY.md Markdown 135L · 3.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 hpr_hybrid.py Python 570L · 20.4 KB

│ └─ 🔧 hprlp_solve.sh Shell 22L · 639 B

├─ 📝 README.md Markdown 62L · 1.5 KB

└─ 📝 SKILL.md Markdown 125L · 2.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`urllib`	`stdlib`	Python standard library	否	Standard library only

安全亮点

✓ SKILL.md clearly documents the Julia and HPR-LP installation process from official sources

✓ The core LP solving functionality matches the documented behavior for MPS file handling

✓ No base64-encoded payloads or obfuscation techniques observed

✓ No credential harvesting or data exfiltration to unknown IPs

✓ The LLM API calls are for legitimate problem parsing, not malicious