安全决策报告
sql_audit
The skill contains hardcoded credentials and undeclared external network communication to a static IP, but implements legitimate SQL audit functionality without evidence of malicious data exfiltration.
最直接的威胁证据
高危 凭证窃取
Hardcoded JWT token in source code A default JWT authentication token is hardcoded in _get_gemini_config() function. This token appears to contain base64-encoded user credentials (admin user). If this token is a real credential, it should be stored in environment variables only.
sql_audit.py:657 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 3 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Hardcoded IP address in source +15
47.77.199.56 hardcoded as default Gemini API endpoint in _get_gemini_config()
Hardcoded JWT token +18
_default_token hardcoded in sql_audit.py:657-666, contains base64-encoded credential data
Undeclared network behavior +10
SKILL.md does not mention external API calls or the hardcoded IP fallback
Subprocess shell execution +5
index.js spawns Python subprocess, but documented as expected behavior
最关键的证据
高危 凭证窃取
Hardcoded JWT token in source code
A default JWT authentication token is hardcoded in _get_gemini_config() function. This token appears to contain base64-encoded user credentials (admin user). If this token is a real credential, it should be stored in environment variables only.
sql_audit.py:657 Remove the hardcoded _default_token. Require all tokens to be set via GEMINI_TOKEN environment variable. Do not ship credentials in source code.
高危 文档欺骗
Undeclared external IP address for API calls
The skill makes HTTP requests to a hardcoded IP address (47.77.199.56) for Gemini API calls, but this is not mentioned in SKILL.md. Users cannot verify where their data is being sent.
sql_audit.py:649 Document the external API endpoint in SKILL.md. Prefer DNS-based URLs over raw IP addresses. Consider making the IP configurable via environment variable.
中危 权限提升
Undeclared shell subprocess execution
index.js uses Node.js spawn() to invoke Python interpreter, which is a form of shell execution. While this is common for skill runners, it is not declared in SKILL.md.
index.js:98 Document the subprocess execution mechanism in SKILL.md's capability section.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 READ
SKILL.md: Reads sql_output.json, writes audit_output.json 网络访问 阻止
声明 NONE
→ 推断 WRITE
sql_audit.py:649 — undeclared external HTTP calls to 47.77.199.56 命令执行 阻止
声明 NONE
→ 推断 WRITE
index.js:spawn() spawns Python subprocess 数据库 通过
声明 WRITE
→ 推断 WRITE
Executes real SQL on StarRocks, returns results 可疑产物与外联
高危 IP 地址
47.77.199.56 sql_audit.py:649
中危 外部 URL
http://47.77.199.56/api/v1beta sql_audit.py:649
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| httpx | unpinned | pip | 否 | No version pinning |
| pymysql | unpinned | pip | 否 | No version pinning |
| python-dotenv | unpinned | pip | 否 | No version pinning |
文件构成
3 个文件 · 1089 行
Python 1 个文件 · 868 行JavaScript 1 个文件 · 164 行Markdown 1 个文件 · 57 行
需关注文件 · 2
sql_audit.py Hardcoded JWT token in source code · Undeclared external IP address for API calls · 47.77.199.56 · http://47.77.199.56/api/v1beta
index.js Undeclared shell subprocess execution
其他文件 · SKILL.md
安全亮点
SQL execution is constrained to SELECT operations (intercept rules mentioned in docs)
No evidence of credential exfiltration or data theft
Database connection details are read from environment variables (proper handling)
No base64-encoded runtime execution or obfuscation detected
No access to sensitive paths like ~/.ssh or ~/.aws