安全决策报告
aicoin-monitor
SKILL.md explicitly claims 'strict isolation mode' with multiple 'never' statements (never read global config, never read env vars, never write to global paths), but the actual code violates every single one of these claims.
最直接的威胁证据
01
SKILL.md advertises 'strict isolation mode' with explicit 'never' claims about global config and env vars 初始入口 · SKILL.md
02
Code reads from /root/.openclaw-zero/config.yaml violating stated isolation 权限提升 · scripts/monitor.py
03
Code reads HTTP_PROXY/HTTPS_PROXY environment variables despite documentation saying 'never read env vars' 权限提升 · scripts/monitor.py
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 8 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
SKILL.md advertises 'strict isolation mode' with explicit 'never' claims about global config and env vars
初始入口 · SKILL.md:1
02
Code reads from /root/.openclaw-zero/config.yaml violating stated isolation
权限提升 · scripts/monitor.py:24
03
Code reads HTTP_PROXY/HTTPS_PROXY environment variables despite documentation saying 'never read env vars'
权限提升 · scripts/monitor.py:57
04
Data written to /root/.openclaw-zero/workspace/memory/ violating documentation's 'never write to global paths' claim
最终危害 · scripts/monitor.py:252
风险分是怎么被拉高的
Doc-to-code mismatch on global config read +25
SKILL.md line '✅ 绝不读取 /root/.openclaw-zero/config.yaml' but monitor.py:24 reads exactly that path
Doc-to-code mismatch on env var read +20
SKILL.md '✅ 绝不读取 任何环境变量' but monitor.py:57-59 reads HTTP_PROXY/HTTPS_PROXY
Doc-to-code mismatch on global path write +20
SKILL.md '✅ 绝不写入 /root/.openclaw-zero/workspace/memory/' but monitor.py:252 writes there
Proxy loading from global config +10
load_proxy_from_config() at line 48 reads /root/.openclaw-zero/config.yaml
最关键的证据
高危 文档欺骗
SKILL.md claims strict isolation but reads global config file
The documentation explicitly states '✅ 绝不读取 /root/.openclaw-zero/config.yaml 或任何全局配置文件', yet the code at line 24 reads exactly that path.
scripts/monitor.py:24 Remove all code that reads from /root/.openclaw-zero/config.yaml or implement the isolation claimed in documentation.
高危 文档欺骗
SKILL.md claims no env var access but code reads proxy env vars
The documentation states '✅ 绝不读取 任何环境变量(包括 AICOIN_API_KEY、HTTP_PROXY 等)', yet the code reads HTTP_PROXY and HTTPS_PROXY at lines 57-59.
scripts/monitor.py:57 Remove environment variable reading for proxies or update documentation to declare this capability.
高危 文档欺骗
SKILL.md claims no global path write but code writes to /root/.openclaw-zero/
The documentation states '✅ 绝不写入 /root/.openclaw-zero/workspace/memory/ 或任何全局路径', yet the save_data() function writes data to exactly that path.
scripts/monitor.py:252 Change save path to skill-local data/ directory as documented, or update documentation to declare global path writing.
高危 敏感访问
Proxy configuration loaded from global config file
load_proxy_from_config() reads /root/.openclaw-zero/config.yaml to extract proxy settings including support for multiple proxy configurations with names and addresses.
scripts/monitor.py:48 Remove global config reading. Proxy configuration should come only from skill-local config.yaml.
中危 文档欺骗
SKILL.md describes features not present in monitor.py
SKILL.md advertises 30+ data modules (on-chain, ETF, derivatives, whales, etc.) but monitor.py only implements basic price fetching, large orders, signals, and news — a significant feature mismatch.
SKILL.md:1 Either implement the advertised features or remove them from documentation.
声明能力 vs 实际能力
文件系统 阻止
声明 READ
→ 推断 WRITE
monitor.py:252 - writes to /root/.openclaw-zero/workspace/memory/ 环境变量 阻止
声明 NONE
→ 推断 READ
monitor.py:57-59 - reads HTTP_PROXY, HTTPS_PROXY env vars 网络访问 通过
声明 READ
→ 推断 READ
Uses requests to api.aicoin.com 可疑产物与外联
中危 外部 URL
http://127.0.0.1:7890 SKILL.md:138
中危 外部 URL
https://www.aicoin.com SKILL.md:399
中危 外部 URL
https://docs.aicoin.com SKILL.md:400
中危 外部 URL
https://www.aicoin.com/zh-Hans/opendata SKILL.md:401
中危 外部 URL
https://api.aicoin.com/v1/market/ticker?symbol= scripts/monitor.py:107
中危 外部 URL
https://api.aicoin.com/v1/large/orders?symbol= scripts/monitor.py:218
中危 外部 URL
https://api.aicoin.com/v1/signals?symbol= scripts/monitor.py:236
中危 外部 URL
https://api.aicoin.com/v1/news/flash?symbol= scripts/monitor.py:254
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| requests | * | pip | 否 | No version pinned, no known vulnerabilities |
| pyyaml | * | pip | 否 | No version pinned |
文件构成
3 个文件 · 945 行
Python 1 个文件 · 446 行Markdown 1 个文件 · 414 行YAML 1 个文件 · 85 行
需关注文件 · 2
scripts/monitor.py SKILL.md claims strict isolation but reads global config file · SKILL.md claims no env var access but code reads proxy env vars · SKILL.md claims no global path write but code writes to /root/.openclaw-zero/ · Proxy configuration loaded from global config file · https://api.aicoin.com/v1/market/ticker?symbol= · https://api.aicoin.com/v1/large/orders?symbol= · https://api.aicoin.com/v1/signals?symbol= · https://api.aicoin.com/v1/news/flash?symbol=
SKILL.md SKILL.md describes features not present in monitor.py · http://127.0.0.1:7890 · https://www.aicoin.com · https://docs.aicoin.com · https://www.aicoin.com/zh-Hans/opendata
其他文件 · config.yaml
安全亮点
Uses requests library with User-Agent header for legitimate API calls
Implements timeout on network requests
No credential exfiltration or C2 communication observed
No base64-encoded payloads or obfuscation
No direct shell execution via subprocess