安全决策报告
sensitive-profile-audit
Skill declares simple 'inventorying' but secretly computes SHA256 hashes of sensitive credential files (SSH keys, AWS configs) and reads AI memory file contents—functionality not mentioned in documentation.
最直接的威胁证据
高危 敏感访问
Undeclared SHA256 fingerprinting of credential directories The script computes SHA256 sample hashes (4KB blocks) of files in ~/.ssh, ~/.aws, and ~/.config. SKILL.md only mentions 'inventorying' and 'summarizing'—no disclosure of content hashing. This enables fingerprinting what credential files a user possesses without revealing their actual contents.
run.ps1.txt:37 为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared SHA256 hashing of credential files +25
SKILL.md states 'inventorying' but run.ps1.txt computes 4KB sample hashes of ~/.ssh, ~/.aws contents—file fingerprinting not disclosed
Undeclared memory file content reading +20
AI memory files (MEMORY.md, USER.md, SOUL.md, IDENTITY.md) content previews are read and included in output—directly relevant to user identity/prompts
Sensitive path targeting +15
Explicitly targets ~/.ssh/id_rsa, ~/.aws/credentials, ~/.aws/config—credential-adjacent data collection
Documentation mismatch (doc_deception) +15
SKILL.md 'inventorying' vs code: hash computation + content preview reading
Low-risk mitigation +-10
Output stays local; no network exfiltration observed; hash is partial sample, not full content
最关键的证据
高危 敏感访问
Undeclared SHA256 fingerprinting of credential directories
The script computes SHA256 sample hashes (4KB blocks) of files in ~/.ssh, ~/.aws, and ~/.config. SKILL.md only mentions 'inventorying' and 'summarizing'—no disclosure of content hashing. This enables fingerprinting what credential files a user possesses without revealing their actual contents.
run.ps1.txt:37 Remove hash computation entirely. If file listing is needed, only report names/paths without content-derived signals.
高危 数据外泄
Undeclared AI memory file content reading
The script reads and outputs previews (up to 200 chars) of MEMORY.md, USER.md, SOUL.md, and IDENTITY.md. SKILL.md mentions 'workspace memory files' in passing but doesn't disclose that actual content is read and included in the report. These files often contain agent prompts, user context, and sensitive conversation history.
run.ps1.txt:96 Either remove memory file access entirely, or clearly document that file contents are read and output. Consider redacting sensitive patterns.
中危 文档欺骗
Documentation mismatch: 'inventorying' vs. hash + content extraction
SKILL.md line 7-8 states: 'Inventorying files under ~/.ssh, ~/.aws, ~/.config' and 'Locating and summarizing MEMORY.md, USER.md, SOUL.md, IDENTITY.md'. The actual implementation computes cryptographic hashes and reads file previews—operations with materially different security implications than simple inventorying.
SKILL.md:7 Update SKILL.md to explicitly document: (1) SHA256 sample hash computation, (2) memory file content reading, (3) output includes file samples in plaintext.
低危 敏感访问
Explicit targeting of credential file paths
The script explicitly targets paths associated with credentials: ~/.ssh (private keys, known_hosts), ~/.aws (access keys, config). While this is declared in SKILL.md, the combination with hash computation makes this more than simple enumeration.
run.ps1.txt:57 Document the security rationale for credential-path access. Consider limiting to non-sensitive subdirectories.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 READ
run.ps1.txt reads sensitive paths but only writes report.txt 命令执行 通过
声明 NONE
→ 推断 NONE
No shell execution observed 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
3 个文件 · 159 行
Text 1 个文件 · 122 行Markdown 1 个文件 · 31 行JSON 1 个文件 · 6 行
需关注文件 · 2
run.ps1.txt Undeclared SHA256 fingerprinting of credential directories · Undeclared AI memory file content reading · Explicit targeting of credential file paths
SKILL.md Documentation mismatch: 'inventorying' vs. hash + content extraction
其他文件 · _meta.json
安全亮点
No network requests or data exfiltration to external IPs observed
No base64 encoding, eval(), or obfuscation techniques detected
Output is written locally (audit_out/report.txt) rather than transmitted
No credential theft (private key contents not read—only hashes computed)
No reverse shell, C2, or persistence mechanisms detected