lock-me-in 安全扫描报告 — 可疑 | ClawSafe

40 /100

lock-me-in

Remote browser login and session persistence for headless servers via cloudflared tunnel

The skill is a legitimate browser-login tool but contains undeclared functionality: an undocumented environment variable (OPENCLAW_PROXY_URL) for proxy injection, an undeclared /eval endpoint allowing arbitrary JS execution in the browser page, and extensive stealth/anti-detection scripts that modify browser fingerprinting signals — none of which are mentioned in SKILL.md.

技能名称lock-me-in

分析耗时93.2s

引擎pi

⚠

谨慎使用

Document all undeclared capabilities (OPENCLAW_PROXY_URL, /eval endpoint, stealth evasion scripts) in SKILL.md. Consider removing or restricting the /eval endpoint, as it enables arbitrary JavaScript execution in the authenticated browser context accessible via the tunnel URL.

安全发现 5 项

严重性	安全发现	位置
中危	Undeclared stealth/anti-detection browser scripts 文档欺骗 50+ lines of stealth evasion code inject JavaScript to hide navigator.webdriver, spoof WebGL vendor/renderer, fake hardwareConcurrency (8), deviceMemory (8), platform (Win32), navigator.plugins, and more. These modify the browser's fingerprint on every page load and are not mentioned in SKILL.md. const STEALTH_SCRIPTS = [`Object.defineProperty(navigator, 'webdriver', { get: () => false })`... → Document the use of stealth evasion scripts in SKILL.md with a clear justification (e.g., required to log into sites with bot detection). Users should be informed that browser fingerprint is modified.	`scripts/browser-login.mjs:35`
中危	Undeclared /eval HTTP endpoint allows arbitrary JS execution in authenticated browser 代码执行 The HTTP server exposes a /eval endpoint that executes arbitrary JavaScript via page.evaluate() on the authenticated browser page. While the endpoint is within the HTTP server, it is not declared in SKILL.md, and its output is visible in the web UI. Anyone with the tunnel URL can send requests to /eval during the active session. `case '/eval': const script = url.searchParams.get('js'); try { const result = await page.evaluate(script); ... }` → Either remove the /eval endpoint, restrict it to known-safe operations, or clearly document it in SKILL.md as a feature for advanced users.	`scripts/browser-login.mjs:248`
中危	Undeclared OPENCLAW_PROXY_URL environment variable 文档欺骗 The script reads OPENCLAW_PROXY_URL from the environment, parses embedded credentials (username:password@host:port), and passes them as browser proxy authentication. This undocumented mechanism allows proxy injection with credentials, which is not mentioned in SKILL.md's configuration section. `OPENCLAW_PROXY_URL - HTTP proxy for browser traffic (optional)` → Document OPENCLAW_PROXY_URL in SKILL.md's Configuration section, or rename it to LOCK_ME_IN_PROXY_URL for consistency with the LOCK_ME_IN_* namespace.	`scripts/browser-login.mjs:18`
低危	Cloudflared binary spawned via shell subprocess 权限提升 The cloudflared tunnel binary is spawned as a child process via spawn(). While this is functionally necessary for the skill to work, the shell:WRITE capability is not declared in SKILL.md's allowed-tools section. const tunnel = spawn(CLOUDFLARED, ['tunnel', '--url', `http://localhost:${proxyPort}`], { stdio: ['ignore', 'pipe', 'pipe'] }); → Document subprocess usage for cloudflared tunneling in SKILL.md.	`scripts/browser-login.mjs:404`
低危	cloudflared installation command does not pin version 供应链 SKILL.md's installation command for cloudflared fetches the 'latest' release without a version pin: `curl -sL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64` `curl -sL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64` → Pin to a specific version tag to prevent unexpected updates: e.g., `curl -sL https://github.com/cloudflare/cloudflared/releases/download/2024.X.X/cloudflared-linux-amd64`	`SKILL.md:74`

资源类型	声明权限	推断权限	状态	证据
浏览器	`WRITE`	`WRITE`	✓ 一致	Playwright Chromium launch + page interaction throughout browser-login.mjs
网络访问	`NONE`	`WRITE`	✗ 越权	Cloudflared spawns external tunnel (line 404-405); proxy injection via OPENCLAW_…
文件系统	`READ+WRITE`	`READ+WRITE`	✓ 一致	Session storageState read/write (line 302, saveSession function)
命令执行	`NONE`	`WRITE`	✗ 越权	spawn() used for cloudflared binary (line 404) — shell:WRITE, not declared

1 高危 4 项发现

📡

高危 IP 地址硬编码 IP 地址

131.0.0.0

scripts/browser-login.mjs:262

🔗

中危外部 URL 外部 URL

https://linkedin.com/login

SKILL.md:26

🔗

中危外部 URL 外部 URL

https://mail.google.com

SKILL.md:28

🔗

中危外部 URL 外部 URL

https://linkedin.com/feed

SKILL.md:52

目录结构

2 文件 · 24.4 KB · 565 行

JavaScript 1f · 468L Markdown 1f · 97L

├─ ▾ 📁 scripts

│ └─ 📜 browser-login.mjs JavaScript 468L · 20.6 KB

└─ 📝 SKILL.md Markdown 97L · 3.9 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`playwright-core`	`unknown (imported from /app/node_modules)`	npm	否	No package.json found; playwright-core is a transitive dep
`cloudflared`	`latest (unpinned)`	github releases	否	Installation command in SKILL.md fetches latest without version pin

安全亮点

✓ No credential harvesting or exfiltration — session data stays local

✓ No base64-encoded or obfuscated code found

✓ Auto-close timeout (15 min) limits exposure window

✓ Tunnel URLs are random and ephemeral (cloudflared managed)

✓ Session storage is scoped to a named directory, not globally accessible

✓ Proper cleanup on SIGINT/SIGTERM signals

✓ Cookie banners auto-accepted for UX, not for bypassing security