安全决策报告
self-evolution-engine
Hardcoded billing API key with no declared credential handling, plus undocumented external data transmission to skillpay.me that is only minimally mentioned in SKILL.md — a significant doc-to-code mismatch.
最直接的威胁证据
严重 凭证窃取
Hardcoded Billing API Key in Source Code payment.py contains a plaintext billing API key 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' hardcoded at line 12. The _meta.json specifies the key should come from SKILLPAY_API_KEY environment variable, but the code bypasses this entirely. Anyone with read access to the skill source can extract and misuse this key.
payment.py:12 为什么得出这个结论
2/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 5 项需要关注的依赖或供应链线索。
攻击链
01
Skill deployed with hardcoded billing API key embedded in payment.py
初始入口 · payment.py:12
02
Attacker extracts the hardcoded API key from source code
权限提升 · payment.py:12
03
Attacker uses extracted key to make unauthorized billing API calls against skillpay.me on behalf of the skill operator
最终危害 · payment.py:38
风险分是怎么被拉高的
Hardcoded billing API key in source +35
payment.py line 12 contains a plaintext API key 'sk_f03aa...1d2' used in all X-API-Key headers. No env var fallback. Should be SKILLPAY_API_KEY from environment.
Undeclared external data transmission +20
SKILL.md mentions SkillPay only as a pricing note but does not disclose that SKILLPAY_USER_ID (from environment) is sent to an external endpoint. Data exfiltration to external host skillpay.me is not documented.
Hardcoded workspace path +8
evolution_generator.py and version_manager.py hardcode '/root/.openclaw/workspace/skills' — undeclared privileged path access that is platform-specific.
Unpinned dependencies +5
requirements.txt contains pandas>=2.0.0, numpy>=1.24.0, psutil>=5.9.0, matplotlib>=3.7.0 without upper bounds or exact versions.
最关键的证据
严重 凭证窃取
Hardcoded Billing API Key in Source Code
payment.py contains a plaintext billing API key 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' hardcoded at line 12. The _meta.json specifies the key should come from SKILLPAY_API_KEY environment variable, but the code bypasses this entirely. Anyone with read access to the skill source can extract and misuse this key.
payment.py:12 Replace with os.environ.get('SKILLPAY_API_KEY', '') and ensure the environment variable is documented and required at runtime.
高危 数据外泄
Undeclared External Data Transmission
The skill transmits SKILLPAY_USER_ID (read from environment) and the billing API key to https://skillpay.me for payment verification. SKILL.md only mentions '本 Skill 已接入 SkillPay 付费系统' and a price tag. It does not disclose what data is sent, to which endpoint, or that user identifiers are transmitted to a third-party service.
payment.py:76 Add a dedicated '数据与隐私' section to SKILL.md detailing all external API calls, data fields transmitted, and the service provider.
高危 文档欺骗
SKILL.md Does Not Match Implementation
SKILL.md describes a pure self-evolution engine (performance monitoring, error analysis, version management). The actual implementation includes a mandatory billing/payment system that charges users before execution, reads environment variables, and makes outbound HTTP requests — none of which appear in the capability declaration or tool list.
SKILL.md:1 Add network:READ and environment:READ to the declared capability map, and document the payment verification flow in SKILL.md.
中危 敏感访问
Hardcoded Privileged Workspace Path
Both evolution_generator.py and version_manager.py hardcode /root/.openclaw/workspace/skills as the target directory for skill file operations (snapshots, backups, patches). This path implies running with elevated (root) privileges and targets a specific platform directory not declared in SKILL.md.
scripts/evolution_generator.py:22 Use a configurable workspace path from environment variable or command-line argument rather than hardcoding /root paths.
低危 供应链
Unpinned Dependencies with Lower Bounds Only
requirements.txt uses lower-bound version specifiers (pandas>=2.0.0, numpy>=1.24.0, etc.) without upper bounds or exact pins. This allows dependency confusion attacks and pulls latest patch versions without review.
requirements.txt:1 Pin exact versions (e.g., pandas==2.2.3) or at minimum add upper bounds (pandas>=2.0.0,<3.0.0) to prevent silent major-version jumps.
声明能力 vs 实际能力
网络访问 通过
声明 NONE
→ 推断 READ
payment.py:20-30 makes requests.post() to https://skillpay.me with API key and user ID 环境变量 通过
声明 NONE
→ 推断 READ
payment.py:76 reads os.environ.get('SKILLPAY_USER_ID') 文件系统 通过
声明 NONE
→ 推断 WRITE
evolution_generator.py:22, version_manager.py:18 hardcode /root/.openclaw/workspace/skills path for writes 可疑产物与外联
高危 API 密钥
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" payment.py:12
中危 外部 URL
https://skillpay.me payment.py:11
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| pandas | >=2.0.0 | pip | 否 | Version not pinned, lower-bound only |
| numpy | >=1.24.0 | pip | 否 | Version not pinned |
| psutil | >=5.9.0 | pip | 否 | Version not pinned |
| matplotlib | >=3.7.0 | pip | 否 | Version not pinned |
| python-dateutil | >=2.8.0 | pip | 否 | Version not pinned |
| requests | not declared | pip | 否 | Used in payment.py but not listed in requirements.txt |
文件构成
9 个文件 · 1662 行
Python 5 个文件 · 1300 行Markdown 2 个文件 · 329 行JSON 1 个文件 · 19 行Text 1 个文件 · 14 行
需关注文件 · 4
scripts/evolution_generator.py Hardcoded Privileged Workspace Path
payment.py Hardcoded Billing API Key in Source Code · Undeclared External Data Transmission · API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" · https://skillpay.me
SKILL.md SKILL.md Does Not Match Implementation
requirements.txt Unpinned Dependencies with Lower Bounds Only
其他文件 · version_manager.py · error_analyzer.py · performance_monitor.py · architecture.md · _meta.json
安全亮点
No shell execution, subprocess, or command injection vectors found
No credential harvesting beyond the billing API key (which is used for its intended purpose, not exfiltrated elsewhere)
No base64-encoded payloads, obfuscated code, or anti-analysis techniques
Evolution apply and rollback operations require explicit --confirm flags, providing a human-in-the-loop safeguard
Backup creation before rollback operations prevents accidental data loss
No access to ~/.ssh, ~/.aws, .env, or other sensitive user paths
No reverse shell, C2, or data-theft-only beacons detected