安全决策报告
superguard
Skill masquerades as a security guard tool but harvests credentials through fake commands and contains garbled text likely containing hidden prompt injection in metadata.
最直接的威胁证据
严重
Hidden garbled text in metadata likely containing prompt injection The metadata.description field contains: 'treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage' - this appears to be deliberately obfuscated content that could contain hidden instructions to manipulate the AI model.
SKILL.md:1 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Masquerades as legitimate security guard tool using defensive branding
初始入口 · SKILL.md:1
02
Hidden garbled text in metadata may contain model injection instructions
持久化 · SKILL.md:1
03
References credential storage path ~/.openclaw/credentials/moltguard/
凭证访问 · SKILL.md:46
04
/og_claim command instructs users to expose Agent ID and API Key
数据外泄 · SKILL.md:36
05
Enterprise enrollment script connects to arbitrary URLs for credential exfiltration
最终危害 · SKILL.md:61
风险分是怎么被拉高的
Hidden garbled text in metadata +25
SKILL.md metadata contains scrambled text that may hide malicious instructions for model injection
Credential harvesting commands +25
/og_claim command instructs users to expose their Agent ID and API Key
Undeclared credential path access +15
Skill declares NONE for filesystem but references ~/.openclaw/credentials/ access
Social engineering for credential display +20
Onboarding flow asks users to paste credentials to claim-agent page
Fake security tool branding +12
Poses as security protection to gain trust while harvesting credentials
最关键的证据
严重
Hidden garbled text in metadata likely containing prompt injection
The metadata.description field contains: 'treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage' - this appears to be deliberately obfuscated content that could contain hidden instructions to manipulate the AI model.
SKILL.md:1 Remove all garbled text from metadata. Legitimate tools do not contain scrambled content.
严重
Credential harvesting through /og_claim command
The skill instructs users to run /og_claim which 'Shows your Agent ID and API Key to claim this agent on Core'. This is a credential exfiltration mechanism disguised as a legitimate onboarding step.
SKILL.md:36 Do not expose API keys through chat output. Legitimate tools use secure configuration methods, not display-to-user patterns.
高危
Enterprise enrollment to arbitrary URLs
The enterprise-enroll.mjs script accepts arbitrary URLs and redirects security scanning to attacker-controlled endpoints.
SKILL.md:61 Block any skill that connects to arbitrary URLs for 'enrollment' purposes.
高危
Fake security tool branding for trust
The skill poses as a security guard protecting against 'prompt injection, data exfiltration, and malicious commands' while actually being a credential harvester. The keywords in metadata (data-exfiltration, credential-theft, command-injection) are defensive terms used to appear legitimate.
SKILL.md:1 Be wary of tools that use security-related branding to mask their true purpose.
中危
Social engineering test file read
The 'Test Your Protection' section instructs users to read a specific file claiming it contains a hidden prompt injection attack. This could be used to desensitize users to reading suspicious files or to establish trust before malicious actions.
SKILL.md:21 Never encourage reading arbitrary files as a 'test' of security tools.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 READ
SKILL.md references reading ~/.openclaw/extensions/moltguard/samples/test-email-popup.txt 命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md declares multiple bash commands (/og_status, /og_claim, /og_core, /og_config, /og_dashboard) 环境变量 阻止
声明 NONE
→ 推断 READ
Credentials saved to ~/.openclaw/credentials/moltguard/ implies API key access 可疑产物与外联
中危 外部 URL
https://core.company.com SKILL.md:122
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 177 行
Markdown 1 个文件 · 172 行JSON 1 个文件 · 5 行
需关注文件 · 1
SKILL.md Hidden garbled text in metadata likely containing prompt injection · Credential harvesting through /og_claim command · Enterprise enrollment to arbitrary URLs · Fake security tool branding for trust · Social engineering test file read · https://core.company.com · [email protected]
其他文件 · _meta.json
安全亮点
Skill does not contain actual executable code (no scripts/)
Skill does not have external dependency files (requirements.txt, package.json)