安全决策报告
calendar_memo
Skill executes undeclared shell commands via child_process.exec and runs persistent background timers without proper documentation disclosure.
最直接的威胁证据
01
Skill loaded via SKILL.md documentation describing only local scheduling features 初始入口 · SKILL.md
02
onStart() triggers startReminderChecker() which creates persistent setInterval 权限提升 · SOUL.md
03
Every 60 seconds, checkReminders() builds command string with user-controlled title 代码执行 · reminder.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Skill loaded via SKILL.md documentation describing only local scheduling features
初始入口 · SKILL.md:1
02
onStart() triggers startReminderChecker() which creates persistent setInterval
权限提升 · SOUL.md:44
03
Every 60 seconds, checkReminders() builds command string with user-controlled title
代码执行 · reminder.js:35
04
exec() executes 'openclaw message send' through system shell with potentially unsanitized input
最终危害 · reminder.js:18
风险分是怎么被拉高的
Undeclared shell execution +20
reminder.js uses child_process.exec() to run 'openclaw message send' but SKILL.md only mentions '飞书等通道' without explaining shell command execution mechanism
Hidden persistence mechanism +10
setInterval runs every 60 seconds indefinitely, creating a background daemon. SKILL.md does not mention periodic background activity.
Shell injection risk +10
User-controlled title field is interpolated into shell command string with only quote escaping. Other shell metacharacters not sanitized.
Doc-to-code mismatch +5
SKILL.md declares filesystem:READ but code uses filesystem:WRITE for MEMORY.md. Shell:WRITE usage not declared.
最关键的证据
高危 权限提升
Undeclared shell command execution
The skill uses child_process.exec() to execute 'openclaw message send' but SKILL.md only mentions '飞书等通道' (Feishu channels) without explaining the shell execution mechanism. Users cannot make informed decisions about allowing this skill.
reminder.js:18 Document shell:WRITE permission and explain that the skill executes external CLI commands for notifications.
中危 代码执行
Shell command injection risk in notification function
The sendPushNotification function builds a shell command by interpolating user-controlled event title into a command string. While only double quotes are escaped, other shell metacharacters could potentially be dangerous if the message format changes.
reminder.js:14 Use an array-based exec() API or proper argument escaping via a library like shell-quote instead of string interpolation.
中危 持久化
Hidden background daemon without disclosure
The skill starts a setInterval timer that runs checkReminders() every 60 seconds. This creates a persistent background process that continues running until skill is explicitly stopped. SKILL.md does not mention this behavior.
reminder.js:55 Document that the skill runs background checks and the interval frequency. Allow users to configure or disable reminder checking.
低危 文档欺骗
Minor doc-to-code mismatch on filesystem permissions
SKILL.md capability section mentions '读取和编辑MEMORY.md' (read and edit) but only declares filesystem:READ. The code writes to MEMORY.md using writeFileSync.
SOUL.md:13 Update SKILL.md to declare filesystem:WRITE permission.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 WRITE
reminder.js:3 - fs module available; SOUL.md:13 - fs.writeFileSync writes MEMORY.md 命令执行 阻止
声明 NONE
→ 推断 WRITE
reminder.js:4 - const { exec } = require('child_process'); reminder.js:18 - exec(cmd, callback) 网络访问 阻止
声明 NONE
→ 推断 WRITE
reminder.js:18 - exec runs 'openclaw message send --channel feishu' which sends network requests 环境变量 通过
声明 NONE
→ 推断 NONE
No direct environment variable access found 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
4 个文件 · 363 行
Markdown 3 个文件 · 279 行JavaScript 1 个文件 · 84 行
需关注文件 · 2
SOUL.md Minor doc-to-code mismatch on filesystem permissions
reminder.js Undeclared shell command execution · Shell command injection risk in notification function · Hidden background daemon without disclosure
其他文件 · SKILL.md · MEMORY.md
安全亮点
No credential harvesting or sensitive data exfiltration detected
No base64 encoding, eval(), or obfuscation techniques found
No network requests to unknown external IPs
Data stays local in MEMORY.md without transmission
User input is processed through structured parsing rather than eval()