安全决策报告
lock-me-in
The skill is a legitimate browser-login tool but contains undeclared functionality: an undocumented environment variable (OPENCLAW_PROXY_URL) for proxy injection, an undeclared /eval endpoint allowing arbitrary JS execution in the browser page, and extensive stealth/anti-detection scripts that modify browser fingerprinting signals — none of which are mentioned in SKILL.md.
最直接的威胁证据
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared stealth/anti-detection scripts +15
50+ lines of browser fingerprint spoofing (webdriver hide, WebGL spoof, hardwareConcurrency spoof, etc.) injected on every page — not declared in SKILL.md
Undeclared /eval endpoint +10
HTTP endpoint /eval executes arbitrary JavaScript in the authenticated browser page; not documented in SKILL.md; accessible to anyone with the tunnel URL
Undeclared OPENCLAW_PROXY_URL environment variable +8
Supports proxy injection with embedded credentials via undocumented env var; proxy username/password parsed and passed to browser launch — not in SKILL.md
Tunnel URL accessible without authentication +7
No authentication on the tunnel; SKILL.md mentions 'No authentication on the tunnel by default' but the 15-min auto-close is the only protection
最关键的证据
中危 文档欺骗
Undeclared stealth/anti-detection browser scripts
50+ lines of stealth evasion code inject JavaScript to hide navigator.webdriver, spoof WebGL vendor/renderer, fake hardwareConcurrency (8), deviceMemory (8), platform (Win32), navigator.plugins, and more. These modify the browser's fingerprint on every page load and are not mentioned in SKILL.md.
scripts/browser-login.mjs:35 Document the use of stealth evasion scripts in SKILL.md with a clear justification (e.g., required to log into sites with bot detection). Users should be informed that browser fingerprint is modified.
中危 代码执行
Undeclared /eval HTTP endpoint allows arbitrary JS execution in authenticated browser
The HTTP server exposes a /eval endpoint that executes arbitrary JavaScript via page.evaluate() on the authenticated browser page. While the endpoint is within the HTTP server, it is not declared in SKILL.md, and its output is visible in the web UI. Anyone with the tunnel URL can send requests to /eval during the active session.
scripts/browser-login.mjs:248 Either remove the /eval endpoint, restrict it to known-safe operations, or clearly document it in SKILL.md as a feature for advanced users.
中危 文档欺骗
Undeclared OPENCLAW_PROXY_URL environment variable
The script reads OPENCLAW_PROXY_URL from the environment, parses embedded credentials (username:password@host:port), and passes them as browser proxy authentication. This undocumented mechanism allows proxy injection with credentials, which is not mentioned in SKILL.md's configuration section.
scripts/browser-login.mjs:18 Document OPENCLAW_PROXY_URL in SKILL.md's Configuration section, or rename it to LOCK_ME_IN_PROXY_URL for consistency with the LOCK_ME_IN_* namespace.
低危 权限提升
Cloudflared binary spawned via shell subprocess
The cloudflared tunnel binary is spawned as a child process via spawn(). While this is functionally necessary for the skill to work, the shell:WRITE capability is not declared in SKILL.md's allowed-tools section.
scripts/browser-login.mjs:404 Document subprocess usage for cloudflared tunneling in SKILL.md.
低危 供应链
cloudflared installation command does not pin version
SKILL.md's installation command for cloudflared fetches the 'latest' release without a version pin: `curl -sL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64`
SKILL.md:74 Pin to a specific version tag to prevent unexpected updates: e.g., `curl -sL https://github.com/cloudflare/cloudflared/releases/download/2024.X.X/cloudflared-linux-amd64`
声明能力 vs 实际能力
浏览器 通过
声明 WRITE
→ 推断 WRITE
Playwright Chromium launch + page interaction throughout browser-login.mjs 网络访问 阻止
声明 NONE
→ 推断 WRITE
Cloudflared spawns external tunnel (line 404-405); proxy injection via OPENCLAW_PROXY_URL (line 283-287); HTTP server binds 0.0.0.0 (line 413) 文件系统 通过
声明 READ+WRITE
→ 推断 READ+WRITE
Session storageState read/write (line 302, saveSession function) 命令执行 阻止
声明 NONE
→ 推断 WRITE
spawn() used for cloudflared binary (line 404) — shell:WRITE, not declared 可疑产物与外联
高危 IP 地址
131.0.0.0 scripts/browser-login.mjs:262
中危 外部 URL
https://linkedin.com/login SKILL.md:26
中危 外部 URL
https://mail.google.com SKILL.md:28
中危 外部 URL
https://linkedin.com/feed SKILL.md:52
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| playwright-core | unknown (imported from /app/node_modules) | npm | 否 | No package.json found; playwright-core is a transitive dep |
| cloudflared | latest (unpinned) | github releases | 否 | Installation command in SKILL.md fetches latest without version pin |
文件构成
2 个文件 · 565 行
JavaScript 1 个文件 · 468 行Markdown 1 个文件 · 97 行
需关注文件 · 2
scripts/browser-login.mjs Undeclared stealth/anti-detection browser scripts · Undeclared /eval HTTP endpoint allows arbitrary JS execution in authenticated browser · Undeclared OPENCLAW_PROXY_URL environment variable · Cloudflared binary spawned via shell subprocess · 131.0.0.0
SKILL.md cloudflared installation command does not pin version · https://linkedin.com/login · https://mail.google.com · https://linkedin.com/feed
安全亮点
No credential harvesting or exfiltration — session data stays local
No base64-encoded or obfuscated code found
Auto-close timeout (15 min) limits exposure window
Tunnel URLs are random and ephemeral (cloudflared managed)
Session storage is scoped to a named directory, not globally accessible
Proper cleanup on SIGINT/SIGTERM signals
Cookie banners auto-accepted for UX, not for bypassing security