安全决策报告
isnad-security-kit
The installer.js performs no actual installation—it merely simulates a 3-step setup with colored console output and delays, while SKILL.md and package.json falsely claim to install real security packages (@isnad-isn/guard, safe-memory-manager, safe-cron-runner). This is classic doc deception with no security value delivered.
最直接的威胁证据
01
SKILL.md presents skill as a legitimate security baseline with professional branding and documentation 初始入口 · SKILL.md
02
package.json declares npm dependencies and postinstall hooks to appear functional deception · package.json
03
installer.js runs on install and produces fake colored progress output but installs nothing, leaving the agent with zero security protection 最终危害 · installer.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 3 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
SKILL.md presents skill as a legitimate security baseline with professional branding and documentation
初始入口 · SKILL.md:1
02
package.json declares npm dependencies and postinstall hooks to appear functional
deception · package.json:16
03
installer.js runs on install and produces fake colored progress output but installs nothing, leaving the agent with zero security protection
最终危害 · installer.js:7
04
User believes agent is 'ISNAD-Compliant' and protected from Memory Poisoning and Prompt Injection, creating false sense of security
最终危害 · SKILL.md:24
风险分是怎么被拉高的
Doc-to-code mismatch +25
SKILL.md and package.json declare npm package installation and skill dependencies, but installer.js executes zero installs—only console.log with ANSI colors and setTimeout delays
Fabricated security posture +15
Claims to install 'ISNAD-Compliant' security baseline, Safe Memory Manager, Safe Cron Runner, and Intent Guard—none of which are actually installed
Social engineering via branding +5
Uses ANSI-colored terminal output mimicking legitimate installers to deceive users into believing security is active
最关键的证据
高危 文档欺骗
installer.js performs zero actual installation
The entire installer consists only of console.log statements with ANSI color codes and setTimeout delays (500ms, 1000ms, 1500ms, 2000ms). It produces no filesystem writes, runs no shell commands, makes no network requests, and installs no packages. Lines 7-28 are entirely cosmetic.
installer.js:7 Delete this skill. It provides zero security functionality despite claiming to install a complete security baseline.
高危 文档欺骗
package.json declares npm dependency @isnad-isn/guard that is never installed
The package.json metadata.openclaw.requires.npm field lists '@isnad-isn/guard', and the postinstall hook references 'node installer.js'. However, installer.js contains no npm install, yarn add, or any package manager invocation. The dependency is declared but never fetched.
package.json:15 Verify all declared dependencies are actually installed by the installer script.
高危 文档欺骗
SKILL.md lists specific external tools never installed
SKILL.md advertises three components: Safe Memory Manager, Safe Cron Runner, and ISNAD Guard SDK (@isnad-isn/guard npm package). None of these are installed or configured by the installer. The metadata also references skills 'safe-memory-manager' and 'safe-cron-runner' that do not exist in this package.
SKILL.md:1 Either implement the actual installation logic or remove all references to these tools from documentation.
中危 文档欺骗
Fake progress simulation with ANSI colors mimics real installers
The installer uses ANSI escape codes (\x1b[36m, \x1b[32m) and step counters '[1/3]', '[2/3]', '[3/3]' to mimic a legitimate multi-step installation. This social engineering technique makes the fake installation appear authentic.
installer.js:9 Legitimate installers do not simulate installation steps with fake output.
低危 敏感访问
No sensitive path access detected
installer.js uses only fs and path Node.js builtins but never reads or writes sensitive paths like ~/.ssh, ~/.aws, or .env.
installer.js:1 No action needed. This is not a finding—it's an observation.
声明能力 vs 实际能力
文件系统 阻止
声明 WRITE
→ 推断 NONE
installer.js:1-28 — No file writes occur despite declared filesystem:WRITE need 网络访问 阻止
声明 READ
→ 推断 NONE
installer.js:1-28 — No network requests despite declared npm install capability 命令执行 阻止
声明 WRITE
→ 推断 NONE
installer.js:1-28 — No shell commands executed; installer.js only calls console.log() and setTimeout() 可疑产物与外联
中危 外部 URL
https://clawhub.ai/u/horn111/safe-memory-manager SKILL.md:21
中危 外部 URL
https://clawhub.ai/u/horn111/safe-cron-runner SKILL.md:22
中危 外部 URL
https://www.npmjs.com/package/@isnad-isn/guard SKILL.md:23
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @isnad-isn/guard | latest | npm | 否 | Listed in package.json but never actually installed by installer.js |
| safe-memory-manager | unknown | clawhub skill | 否 | Referenced in metadata but not included in package; not installed |
| safe-cron-runner | unknown | clawhub skill | 否 | Referenced in metadata but not included in package; not installed |
文件构成
3 个文件 · 97 行
Markdown 1 个文件 · 45 行JavaScript 1 个文件 · 28 行JSON 1 个文件 · 24 行
需关注文件 · 3
SKILL.md SKILL.md lists specific external tools never installed · https://clawhub.ai/u/horn111/safe-memory-manager · https://clawhub.ai/u/horn111/safe-cron-runner · https://www.npmjs.com/package/@isnad-isn/guard
installer.js installer.js performs zero actual installation · Fake progress simulation with ANSI colors mimics real installers · No sensitive path access detected
package.json package.json declares npm dependency @isnad-isn/guard that is never installed
安全亮点
No credential theft or exfiltration detected
No shell command execution observed
No network requests made to external IPs
No base64 encoding or obfuscation detected
No malicious dependencies in package.json
No reverse shell or C2 communication
No supply chain attacks via typosquatting