安全决策报告
vnstock-env-setup
Confirmed malicious: credential theft combined with curl|bash remote code execution allows arbitrary code injection at any time.
最直接的威胁证据
严重 凭证窃取
API keys sent to external server vnstocks.com The skill instructs the AI to accept user API keys and pass them to the remotely-fetched installer script at https://vnstocks.com/files/vnstock-cli-installer.run via --api-key parameter. This means all sponsor-tier API keys are transmitted to an external server.
SKILL.md:129 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 4 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 5 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
Skill presents as legitimate 'Vnstock Environment Setup' tool
初始入口 · SKILL.md:1
02
User provides Sponsor-tier API key during setup
social_engineering · SKILL.md:129
03
API key transmitted to external server via --api-key parameter
credential_theft · SKILL.md:129
04
Remote script downloaded and piped to bash for execution
权限提升 · SKILL.md:132
05
Attacker can modify vnstock-cli-installer.run at any time to inject arbitrary code with user privileges
最终危害 · SKILL.md:132
风险分是怎么被拉高的
API key exfiltration to external server +35
User-provided API keys are passed to https://vnstocks.com/files/vnstock-cli-installer.run
curl|bash remote code execution +35
SKILL.md lines 32,129,132 pipe remote script directly to bash - attacker can inject arbitrary code at any time
Credential theft with remote execution +20
Combining credential theft and RCE is nearly conclusive maliciousness per scoring rules
External requirements.txt without verification +10
pip install -r https://vnstocks.com/files/requirements.txt has no hash pinning
Undeclared behavior +8
SKILL.md does not disclose that API keys are sent to external servers
最关键的证据
严重 凭证窃取
API keys sent to external server vnstocks.com
The skill instructs the AI to accept user API keys and pass them to the remotely-fetched installer script at https://vnstocks.com/files/vnstock-cli-installer.run via --api-key parameter. This means all sponsor-tier API keys are transmitted to an external server.
SKILL.md:129 Never pass credentials to externally-hosted scripts. Use official PyPI packages with verified hashes instead.
严重 代码执行
curl|bash remote code execution pattern
SKILL.md instructs execution of 'curl URL | bash' which downloads and executes arbitrary code from vnstocks.com. The server can modify the response at any time to inject malicious code, creating a persistent backdoor.
SKILL.md:132 Never use curl|bash patterns. Download scripts first, inspect source, verify hashes, then execute locally.
严重 供应链
Unverified external requirements.txt
pip install -r https://vnstocks.com/files/requirements.txt downloads dependencies from an external URL with no version pinning, hash verification, or integrity checks. The remote file can be modified at any time.
SKILL.md:30 Use only PyPI-hosted packages with pinned versions and hash verification.
高危 文档欺骗
Undeclared credential transmission
SKILL.md describes this as a 'diagnostics and setup' skill but never discloses that user API keys are transmitted to vnstocks.com. The documentation only mentions 'API key' in the install command context.
SKILL.md:1 All credential transmissions must be explicitly documented with clear warnings.
高危 敏感访问
Filesystem overwrite without proper confirmation
setup_agent_guide.py overwrites AGENTS.md, CLAUDE.md, entire docs/ directory, and copies/deletes skills directories. Git config is modified with hardcoded email '[email protected]'.
scripts/setup_agent_guide.py:67 Document all filesystem modifications. Require explicit user consent for overwriting user files.
中危 权限提升
Attempts to install git with elevated privileges
check_and_install_git() attempts 'sudo apt-get install -y git' on Linux and downloads/runs an installer executable on Windows.
scripts/setup_agent_guide.py:30 Document elevated permission requirements. Prefer user-managed installations over automated sudo.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:32 curl|bash pattern 网络访问 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:32 POSTs API key to vnstocks.com 文件系统 阻止
声明 NONE
→ 推断 WRITE
setup_agent_guide.py:67-91 shutil.copytree/rmtree 环境变量 阻止
声明 NONE
→ 推断 READ
diagnostics.py:16 checks VIRTUAL_ENV, CONDA_PREFIX 可疑产物与外联
严重 危险命令
wget -qO- https://vnstocks.com/files/vnstock-cli-installer.run \| bash SKILL.md:32
严重 危险命令
curl -fsSL https://vnstocks.com/files/vnstock-cli-installer.run \| bash SKILL.md:32
严重 危险命令
wget -qO- https://vnstocks.com/files/vnstock-cli-installer.run | bash SKILL.md:129
严重 危险命令
curl -fsSL https://vnstocks.com/files/vnstock-cli-installer.run | bash SKILL.md:132
中危 外部 URL
https://vnstocks.com/files/requirements.txt SKILL.md:30
中危 外部 URL
https://vnstocks.com/files/vnstock-cli-installer.run SKILL.md:32
中危 外部 URL
https://vnstocks.com/files/requirements.txt; SKILL.md:32
中危 外部 URL
https://vnstocks.com/api/simple SKILL.md:32
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| vnstocks.com/files/requirements.txt | * | external URL | 是 | No version pinning, no hash verification, fetched from external server |
| vnstock-cli-installer.run | unknown | external URL | 是 | Remote script piped to bash - can be modified at any time to inject malicious code |
文件构成
3 个文件 · 324 行
Python 2 个文件 · 173 行Markdown 1 个文件 · 151 行
需关注文件 · 2
SKILL.md API keys sent to external server vnstocks.com · curl|bash remote code execution pattern · Unverified external requirements.txt · Undeclared credential transmission · wget -qO- https://vnstocks.com/files/vnstock-cli-installer.run \| bash · curl -fsSL https://vnstocks.com/files/vnstock-cli-installer.run \| bash · wget -qO- https://vnstocks.com/files/vnstock-cli-installer.run | bash · curl -fsSL https://vnstocks.com/files/vnstock-cli-installer.run | bash · https://vnstocks.com/files/requirements.txt · https://vnstocks.com/files/vnstock-cli-installer.run · https://vnstocks.com/files/requirements.txt; · https://vnstocks.com/api/simple
scripts/setup_agent_guide.py Filesystem overwrite without proper confirmation · Attempts to install git with elevated privileges · [email protected]
其他文件 · diagnostics.py
安全亮点
Uses virtual environment as documented best practice
Provides diagnostic checks before making changes
Checks for git backup before installation
Asks user permission before overwriting docs/ directory