安全决策报告
hpr-solver
Skill declares only LP solving with official Julia/HPR-LP downloads, but the actual implementation contains undeclared LLM API calls to OpenRouter, undeclared WhatsApp notifications to a specific phone number (+85259562906), and hardcoded user paths suggesting targeted deployment.
最直接的威胁证据
01
Skill masquerades as LP solver via SKILL.md with no declared external network calls 初始入口 · SKILL.md
02
Script reads OPENROUTER_API_KEY from environment for LLM authentication reconnaissance · scripts/hpr_hybrid.py
03
Problem data sent to external OpenRouter API for LLM parsing without user consent 权限提升 · scripts/hpr_hybrid.py
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 2 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
Skill masquerades as LP solver via SKILL.md with no declared external network calls
初始入口 · SKILL.md:1
02
Script reads OPENROUTER_API_KEY from environment for LLM authentication
reconnaissance · scripts/hpr_hybrid.py:325
03
Problem data sent to external OpenRouter API for LLM parsing without user consent
权限提升 · scripts/hpr_hybrid.py:292
04
WhatsApp notifications sent to +85259562906 revealing contact information
最终危害 · scripts/hpr_hybrid.py:500
风险分是怎么被拉高的
Undeclared LLM API calls +15
scripts/hpr_hybrid.py calls OpenRouter API (line 23, 292-334) for LLM parsing - not declared in SKILL.md
Undeclared WhatsApp notifications +15
Sends WhatsApp messages to +85259562906 (lines 500, 509-511) - not declared anywhere
Hardcoded user paths +10
scripts/hpr_hybrid.py hardcodes /home/ljw/ paths; hprlp_solve.sh hardcodes /home/ljw/
os.popen shell execution +5
Line 357 uses os.popen() for Julia execution without sandboxing
最关键的证据
高危 文档欺骗
Undeclared LLM API calls to OpenRouter
SKILL.md claims the skill only uses Julia/HPR-LP solver. In reality, hpr_hybrid.py calls OpenRouter API (https://openrouter.ai/api/v1/chat/completions) using minimax/MiniMax-M2.7 model to parse natural language problems. This sends user problem data to an external LLM service.
scripts/hpr_hybrid.py:23 Declare external LLM API usage in SKILL.md. Specify what data is sent, why it is necessary, and what API keys are required.
高危 文档欺骗
Undeclared WhatsApp notifications
The script sends WhatsApp messages to +85259562906 via 'openclaw message send' command at lines 500 and 509-511. This behavior is completely absent from SKILL.md and reveals a specific contact number.
scripts/hpr_hybrid.py:500 Remove undeclared external communication channels. If notifications are required, declare them explicitly in SKILL.md with user consent.
中危 敏感访问
Hardcoded user-specific paths
The scripts contain hardcoded paths referencing a specific user '/home/ljw/' in both hpr_hybrid.py (lines 488-489) and hprlp_solve.sh (lines 17-18). This suggests the skill was designed for a specific user's environment rather than general deployment.
scripts/hpr_hybrid.py:488 Use environment variables or configurable paths instead of hardcoded user directories.
中危 凭证窃取
Environment variable API key access
The script reads OPENROUTER_API_KEY from environment variables (line 325) to authenticate with the external LLM API. While reading API keys for legitimate use is not inherently malicious, combined with the undeclared external communication, this raises concerns.
scripts/hpr_hybrid.py:325 Ensure API key usage is declared and the key is not exfiltrated or logged.
低危 代码执行
os.popen shell execution without sandbox
The run_julia_solve function (line 357) uses os.popen() to execute Julia solver commands. While this is documented as part of the LP solving workflow, the model code is not sandboxed.
scripts/hpr_hybrid.py:357 Consider using subprocess.run() with shell=False for safer execution, and validate/sanitize inputs.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
scripts/hpr_hybrid.py:357 writes temp .jl files to /tmp/ 网络访问 阻止
声明 NONE
→ 推断 WRITE
scripts/hpr_hybrid.py:23,292-334 - undeclared OpenRouter API calls 命令执行 阻止
声明 NONE
→ 推断 WRITE
scripts/hpr_hybrid.py:500,509 - os.system() for WhatsApp notifications 环境变量 阻止
声明 NONE
→ 推断 READ
scripts/hpr_hybrid.py:325 reads OPENROUTER_API_KEY from env 可疑产物与外联
中危 外部 URL
https://julialang.org/downloads/ README.md:17
中危 外部 URL
https://openrouter.ai/api/v1/chat/completions scripts/hpr_hybrid.py:23
中危 外部 URL
https://openclaw.ai scripts/hpr_hybrid.py:349
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| urllib | stdlib | Python standard library | 否 | Standard library only |
文件构成
6 个文件 · 957 行
Python 1 个文件 · 570 行Markdown 4 个文件 · 365 行Shell 1 个文件 · 22 行
需关注文件 · 2
scripts/hpr_hybrid.py Undeclared LLM API calls to OpenRouter · Undeclared WhatsApp notifications · Hardcoded user-specific paths · Environment variable API key access · os.popen shell execution without sandbox · https://openrouter.ai/api/v1/chat/completions · https://openclaw.ai
README.md https://julialang.org/downloads/
其他文件 · PROBLEM_LIBRARY.md · SKILL.md · install-manual.md · hprlp_solve.sh
安全亮点
SKILL.md clearly documents the Julia and HPR-LP installation process from official sources
The core LP solving functionality matches the documented behavior for MPS file handling
No base64-encoded payloads or obfuscation techniques observed
No credential harvesting or data exfiltration to unknown IPs
The LLM API calls are for legitimate problem parsing, not malicious