安全决策报告
run402-test
Skill performs undeclared filesystem access to read stored API credentials from ~/.config/run402/ that is not mentioned in SKILL.md documentation.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 4 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared filesystem access +15
SKILL.md only shows curl examples but script reads ~/.config/run402/projects.json
Undeclared credential access +10
Reads service_key from local config without documentation
Network access not declared +10
Makes HTTP POST requests to api.run402.com not declared as capability
最关键的证据
中危 文档欺骗
Documentation mismatch - curl examples vs actual implementation
SKILL.md only shows curl commands for database operations but the actual sql2.mjs script reads local config files from ~/.config/run402/projects.json. This hidden file access is not documented.
sql2.mjs:10 Document that the script requires pre-existing credentials stored in ~/.config/run402/projects.json or provide setup instructions.
中危 敏感访问
Accesses sensitive application config directory
Script reads from ~/.config/run402/ directory which is a sensitive application configuration path containing service credentials.
sql2.mjs:8 If this is a legitimate database client, clarify that it reads locally stored credentials for authenticated API access.
低危 凭证窃取
Reads service_key credential from local file
The script extracts service_key from projects.json and uses it as Bearer token for API authorization. While this may be legitimate, credential access is undeclared.
sql2.mjs:12 Document whether the script exfiltrates credentials or only uses them for legitimate API calls.
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 READ
sql2.mjs:10 reads readFileSync(join(CONFIG_DIR, "projects.json")) 网络访问 阻止
声明 NONE
→ 推断 WRITE
sql2.mjs:14 performs fetch() POST to api.run402.com 命令执行 通过
声明 NONE
→ 推断 NONE
No shell execution detected 环境变量 通过
声明 NONE
→ 推断 NONE
No environment variable access detected 技能调用 通过
声明 NONE
→ 推断 NONE
No cross-skill invocation detected 剪贴板 通过
声明 NONE
→ 推断 NONE
No clipboard access detected 浏览器 通过
声明 NONE
→ 推断 NONE
No browser access detected 数据库 阻止
声明 NONE
→ 推断 READ
sql2.mjs:12 reads service_key from projects.json 可疑产物与外联
中危 外部 URL
https://api.run402.com/v1/projects SKILL.md:13
中危 外部 URL
https://api.run402.com/admin/v1/projects/$PROJECT_ID/sql SKILL.md:24
中危 外部 URL
https://api.run402.com/rest/v1/todos?done=eq.false SKILL.md:33
中危 外部 URL
https://api.run402.com sql2.mjs:5
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 58 行
Markdown 1 个文件 · 43 行JavaScript 1 个文件 · 15 行
需关注文件 · 2
SKILL.md https://api.run402.com/v1/projects · https://api.run402.com/admin/v1/projects/$PROJECT_ID/sql · https://api.run402.com/rest/v1/todos?done=eq.false
sql2.mjs Documentation mismatch - curl examples vs actual implementation · Accesses sensitive application config directory · Reads service_key credential from local file · https://api.run402.com
安全亮点
HTTP requests go to a legitimate domain (api.run402.com) not a suspicious IP
No base64 encoding or obfuscation detected
No reverse shell, C2, or data exfiltration patterns
No remote script execution (curl|bash, wget|sh)
No direct credential harvesting from environment variables
No access to ~/.ssh, ~/.aws, or system credential stores