安全决策报告
semanticfs
Skill contains a declared but dangerous curl|bash remote script execution pattern for installation, representing an unmitigated supply chain risk.
最直接的威胁证据
01
Attacker compromises GitHub repo or modifies install.sh on main branch supply_chain · SKILL.md
02
User follows install instructions, executing malicious code via curl|bash 代码执行 · SKILL.md
03
Attacker gains arbitrary code execution on user's system 最终危害 · install.sh
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Attacker compromises GitHub repo or modifies install.sh on main branch
supply_chain · SKILL.md:40
02
User follows install instructions, executing malicious code via curl|bash
代码执行 · SKILL.md:40
03
Attacker gains arbitrary code execution on user's system
最终危害 · install.sh:1
风险分是怎么被拉高的
Remote script execution via curl|bash +25
SKILL.md:40 executes install.sh from GitHub raw URL without integrity verification
No version/commit pinning +10
URL uses 'main' branch which can change at any time
Unmitigated supply chain risk +10
Attacker with repo access could modify install.sh to execute arbitrary code
最关键的证据
高危 供应链
Dangerous curl|bash remote script execution
The install instruction at line 40 uses 'curl -sSfL <URL> | bash', which downloads and executes arbitrary code from a remote GitHub repository without any integrity verification (no hash check, no version pin, no code review step).
SKILL.md:40 Replace with: 1) Direct binary download with SHA256 verification, 2) Package manager install (pip/brew), or 3) Explicit multi-step instructions showing what the install script does before execution.
中危 供应链
Unpinned installation source
The GitHub raw URL points to the 'main' branch without a specific commit, tag, or release. The content can change arbitrarily, breaking reproducibility and enabling supply chain attacks.
SKILL.md:40 Pin to a specific release tag: https://raw.githubusercontent.com/Navneeth08k/semanticFS/v1.0.0/scripts/install.sh
中危 权限提升
Undeclared shell execution permissions
SKILL.md instructs users to run multiple shell commands (semanticfs binary, curl, python3 -c) without declaring 'shell:WRITE' in allowed-tools mapping. The shell resource capability is not declared at all.
SKILL.md:40 If shell execution is required for this skill, declare it explicitly in the allowed-tools mapping.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 READ
semanticfs index build requires read access to indexed directories 网络访问 通过
声明 NONE
→ 推断 READ
Queries localhost:9464 API for search results 命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:40,45,52,55,63 - Runs binary commands and curl without declared shell permission 可疑产物与外联
严重 危险命令
curl -sSfL https://raw.githubusercontent.com/Navneeth08k/semanticFS/main/scripts/install.sh | bash SKILL.md:40
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 131 行
Markdown 1 个文件 · 131 行
需关注文件 · 1
SKILL.md Dangerous curl|bash remote script execution · Unpinned installation source · Undeclared shell execution permissions · curl -sSfL https://raw.githubusercontent.com/Navneeth08k/semanticFS/main/scripts/install.sh | bash
安全亮点
Skill behavior is well-documented and transparent about what it does
The tool is read-only (semantic search only, no file modification)
Localhost-only network usage reduces exfiltration risk
GitHub repository provides some accountability (unlike arbitrary URLs)