安全决策报告
clawhub-security-scan
A ClawHub security-scanning tool with a hardcoded example credential in review.py that contradicts its own security advice, and undeclared external API calls to skillpay.me for billing.
最直接的威胁证据
高危
Hardcoded high-entropy string contradicts security advice review.py line 24 contains api_key = "secretkeyhere123" — a hardcoded credential with Shannon entropy >3.5 that matches the skill's own high-entropy secret detection pattern. The same file's print_best_practices() explicitly warns against this pattern.
scripts/review.py:24 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Hardcoded high-entropy string in source +20
review.py:24 contains 'api_key = "secretkeyhere123"' — a hardcoded credential that triggers the skill's own HIGH_RISK detection pattern (is_likely_secret entropy>3.5, length≥16). This directly contradicts the skill's documented best practices.
Undeclared external network calls +10
scan.py and precheck.py both POST to https://skillpay.me/api/v1 for billing. This is not declared in SKILL.md's documented capabilities, only mentioned under 'Pricing'. SkillPay API key is read from environment.
Environment variable reading not prominently documented +5
SKILLPAY_API_KEY is read via os.environ.get() for billing. While 'reads env vars' is mentioned in Medium Risk scanning patterns, the tool's own env var dependency is not stated upfront.
Bills users per invocation +5
Both scan.py and precheck.py require --user-id and will attempt to charge 0.001 USDT per call via SkillPay. This cost model is mentioned in Pricing but not in the declared capabilities table.
最关键的证据
高危
Hardcoded high-entropy string contradicts security advice
review.py line 24 contains api_key = "secretkeyhere123" — a hardcoded credential with Shannon entropy >3.5 that matches the skill's own high-entropy secret detection pattern. The same file's print_best_practices() explicitly warns against this pattern.
scripts/review.py:24 Remove this line or replace with a clearly commented placeholder: # DEMO ONLY: api_key = "your-key-here" # Never hard-code secrets
中危
Undeclared external API calls to skillpay.me
Both scan.py and precheck.py POST JSON to https://skillpay.me/api/v1 for billing. This network WRITE behavior is only mentioned under 'Pricing' in SKILL.md, not in the declared capabilities or the usage table.
scripts/scan.py:64 Add skillpay.me to the 'What it scans' section under Medium Risk, or create an 'External APIs' subsection in SKILL.md
中危
Billing charge on every invocation requires --user-id
Both scan.py and precheck.py require --user-id and will attempt to charge 0.001 USDT via SkillPay on every run. This cost model is not prominent in the command documentation.
scripts/scan.py:156 Document that the skill charges 0.001 USDT per call prominently in the Usage section
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 READ
SKILL.md documents reading sensitive files as what the tool scans FOR 网络访问 阻止
声明 READ
→ 推断 WRITE
scan.py:64, precheck.py:36 — POSTs to skillpay.me/api/v1 not declared in SKILL.md capabilities 环境变量 阻止
声明 NONE
→ 推断 READ
scan.py:72, precheck.py:44 — reads SKILLPAY_API_KEY from os.environ 命令执行 通过
声明 NONE
→ 推断 NONE
No subprocess/shell execution found in codebase 可疑产物与外联
高危 API 密钥
api_key = "secretkeyhere123" scripts/review.py:24
中危 外部 URL
https://skillpay.me/api/v1 scripts/precheck.py:24
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| urllib (stdlib) | N/A | stdlib | 否 | Standard library only, no external package dependencies |
文件构成
5 个文件 · 851 行
Python 3 个文件 · 769 行Markdown 1 个文件 · 73 行JSON 1 个文件 · 9 行
需关注文件 · 3
scripts/scan.py Undeclared external API calls to skillpay.me · Billing charge on every invocation requires --user-id
scripts/precheck.py https://skillpay.me/api/v1
scripts/review.py Hardcoded high-entropy string contradicts security advice · api_key = "secretkeyhere123"
其他文件 · SKILL.md · _meta.json
安全亮点
Skill actively detects and warns against the very patterns it exhibits (credential hardcoding, eval/exec, sensitive file access) — shows awareness of security best practices
No subprocess/shell execution found anywhere in the codebase
No sensitive file access (~/.ssh, /etc/passwd, etc.) in the skill's own code
No base64 decode, eval(), or __import__ tricks found
No data exfiltration or credential theft
SKILL.md comprehensively documents what patterns it scans for, reducing user surprise
The skill's core scanning logic (scan.py) is well-structured with clear risk categorization