安全决策报告

authenticate-wallet

Name: authenticate-wallet 可信度判断报告
Item: authenticate-wallet
Rating: 55
Author: ClawSafe

The skill relies on unversioned npx execution of external npm package with wildcard arguments, posing significant supply chain risk.

安装决策优先来源: 手动上传扫描时间: 2026/4/5

文件 1

IOC 0

越权项 0

发现 3

最直接的威胁证据

Attacker typosquats or compromises 'agnic' npm package supply_chain · SKILL.md

Skill executes arbitrary code via 'npx agnic@latest *' when user invokes 代码执行 · SKILL.md

Malicious package executes code with same shell:WRITE privileges 最终危害 · SKILL.md

为什么得出这个结论

1/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

通过

隐藏执行与外联

当前没有明显的高危外联或执行信号。

阻止

攻击链与高危发现

报告包含 3 步攻击链，另有 1 项高危或严重发现。

复核

依赖与供应链卫生

发现 1 项需要关注的依赖或供应链线索。

攻击链

Attacker typosquats or compromises 'agnic' npm package

supply_chain · SKILL.md:8

Skill executes arbitrary code via 'npx agnic@latest *' when user invokes

代码执行 · SKILL.md:8

Malicious package executes code with same shell:WRITE privileges

最终危害 · SKILL.md:8

风险分是怎么被拉高的

Supply chain dependency on unversioned npm package +25

Uses 'npx agnic@latest' with no version pin, allowing potential malicious package swap

Wildcard argument passthrough +15

allowed-tools uses '*' wildcard, allowing any agnic subcommand beyond documented ones

Token passed via command line +5

Token visible in process list/history when passed as --token argument

最关键的证据

高危供应链

Unversioned npm package execution

The skill uses 'npx agnic@latest' which pulls from npm registry without version pinning. An attacker who compromises the 'agnic' package name (typosquatting, account takeover) could execute arbitrary code.

SKILL.md:8

Pin to a specific version or commit hash, e.g., 'npx [email protected]' or verify package integrity with integrity hash

中危文档欺骗

Wildcard allows undocumented subcommands

The '*' in allowed-tools permits any agnic command, not just the documented auth/status/logout. The skill could silently execute other agnic subcommands not listed in documentation.

SKILL.md:8

Restrict to specific subcommands: 'Bash(npx agnic@latest auth login;npx agnic@latest status --json;npx agnic@latest auth logout)'

低危凭证窃取

Token visible in command line

Passing --token as a command-line argument exposes the credential in process list and shell history.

SKILL.md:11

Prefer environment variable AGNIC_TOKEN which is less exposed, or document this risk explicitly

声明能力 vs 实际能力

命令执行 通过

声明 WRITE

→

推断 WRITE

allowed-tools declares Bash(npx agnic@latest *)

可疑产物与外联

没有提取到明显 IOC。

依赖与供应链

包名	版本	来源	漏洞	备注
agnic	`@latest`	npm	否	No version pinned; arbitrary code execution possible if package compromised

文件构成

1 个文件 · 62 行

Markdown 1 个文件 · 62 行

需关注文件 · 1

SKILL.md Markdown · 62 行

Unversioned npm package execution · Wildcard allows undocumented subcommands · Token visible in command line

安全亮点

Skill is simple with minimal attack surface

No hidden functionality detected

No direct access to sensitive files (~/.ssh, ~/.aws, etc.)

No base64 or obfuscated code

No credential exfiltration observed