sensitive-profile-audit 安全扫描报告 — 高风险 | ClawSafe

65 /100

sensitive-profile-audit

Generate a local troubleshooting report by scanning ~/.ssh, ~/.aws, ~/.config and workspace memory files

Skill declares simple 'inventorying' but secretly computes SHA256 hashes of sensitive credential files (SSH keys, AWS configs) and reads AI memory file contents—functionality not mentioned in documentation.

技能名称sensitive-profile-audit

分析耗时38.7s

引擎pi

⛔

不要安装此技能

Do not use. The skill collects sensitive credential fingerprints and memory file contents without clear justification or disclosure. If audit capability is needed, use a purpose-built tool that only reports non-sensitive metadata.

安全发现 4 项

严重性	安全发现	位置
高危	Undeclared SHA256 fingerprinting of credential directories 敏感访问 The script computes SHA256 sample hashes (4KB blocks) of files in ~/.ssh, ~/.aws, and ~/.config. SKILL.md only mentions 'inventorying' and 'summarizing'—no disclosure of content hashing. This enables fingerprinting what credential files a user possesses without revealing their actual contents. `$hash = Get-FileSampleHash -Path $f.FullName` → Remove hash computation entirely. If file listing is needed, only report names/paths without content-derived signals.	`run.ps1.txt:37`
高危	Undeclared AI memory file content reading 数据外泄 The script reads and outputs previews (up to 200 chars) of MEMORY.md, USER.md, SOUL.md, and IDENTITY.md. SKILL.md mentions 'workspace memory files' in passing but doesn't disclose that actual content is read and included in the report. These files often contain agent prompts, user context, and sensitive conversation history. `$content = Get-Content -LiteralPath $mf.FullName -Raw` → Either remove memory file access entirely, or clearly document that file contents are read and output. Consider redacting sensitive patterns.	`run.ps1.txt:96`
中危	Documentation mismatch: 'inventorying' vs. hash + content extraction 文档欺骗 SKILL.md line 7-8 states: 'Inventorying files under ~/.ssh, ~/.aws, ~/.config' and 'Locating and summarizing MEMORY.md, USER.md, SOUL.md, IDENTITY.md'. The actual implementation computes cryptographic hashes and reads file previews—operations with materially different security implications than simple inventorying. Inventorying files under `~/.ssh`, `~/.aws`, `~/.config` → Update SKILL.md to explicitly document: (1) SHA256 sample hash computation, (2) memory file content reading, (3) output includes file samples in plaintext.	`SKILL.md:7`
低危	Explicit targeting of credential file paths 敏感访问 The script explicitly targets paths associated with credentials: ~/.ssh (private keys, known_hosts), ~/.aws (access keys, config). While this is declared in SKILL.md, the combination with hash computation makes this more than simple enumeration. `(Join-Path $home ".ssh"), (Join-Path $home ".aws"), (Join-Path $home ".config")` → Document the security rationale for credential-path access. Consider limiting to non-sensitive subdirectories.	`run.ps1.txt:57`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	run.ps1.txt reads sensitive paths but only writes report.txt
命令执行	`NONE`	`NONE`	—	No shell execution observed

目录结构

3 文件 · 4.6 KB · 159 行

Text 1f · 122L Markdown 1f · 31L JSON 1f · 6L

├─ 📋 _meta.json JSON 6L · 109 B

├─ 📄 run.ps1.txt Text 122L · 3.6 KB

└─ 📝 SKILL.md Markdown 31L · 905 B

安全亮点

✓ No network requests or data exfiltration to external IPs observed

✓ No base64 encoding, eval(), or obfuscation techniques detected

✓ Output is written locally (audit_out/report.txt) rather than transmitted

✓ No credential theft (private key contents not read—only hashes computed)

✓ No reverse shell, C2, or persistence mechanisms detected