Skill Trust Decision
auto-skill-hunter
Skill声明仅需filesystem权限,但代码实际执行了git clone远程执行和spawnSync外部进程调用,存在明显的权限越权行为。
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
6 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
未声明的shell执行权限 +20
claw.json声明filesystem,但代码执行git clone和node --self-test
未声明的外部进程调用 +15
spawnSync调用../../feishu-evolver-wrapper/report.js无权限声明
网络请求超出声明范围 +10
claw.json仅声明filesystem,但代码实际发起HTTP请求获取ClawHub数据
Most important evidence
Medium Priv Escalation
权限声明与实际能力严重不符
claw.json仅声明filesystem权限,但代码执行了git clone远程代码执行、node进程测试、外部脚本调用等多类型高危操作。
claw.json:5 更新claw.json声明完整权限集:filesystem, shell, network, skill_invoke
Medium Priv Escalation
未声明的Git远程克隆执行
installSkill函数使用execSync执行git clone,可从任意repoUrl克隆并执行代码。repoUrl来源于外部API响应。
src/hunt.js:401 1. 添加repoUrl白名单验证;2. 克隆后强制扫描脚本内容;3. 使用受限git clone参数
Medium Supply Chain
外部报告脚本调用未声明
sendHunterReport函数调用外部脚本../../feishu-evolver-wrapper/report.js,该路径在claw.json中完全未声明。
src/hunt.js:760 1. 声明skill_invoke权限;2. 验证外部脚本签名;3. 添加脚本来源审计
Medium Doc Mismatch
安装策略存在文档-行为差异
SKILL.md描述使用--dry-run安全预览,但实际代码在git clone失败时会降级为scaffold模式自动创建文件,未经用户确认直接写入skills目录。
src/hunt.js:410 明确文档说明降级行为,或在降级时强制要求用户确认
Low Sensitive Access
访问会话文件读取用户消息
collectRecentUserMessages读取agents/main/sessions/*.jsonl,可能包含用户敏感对话内容。
src/hunt.js:128 在SKILL.md中明确声明会读取会话历史用于分析用户需求
Low Obfuscation
外部域名硬编码
所有外部请求固定为clawhub.com域名,但未在文档中声明网络依赖。
src/hunt.js:16 在文档中添加网络依赖说明
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
claw.json声明permissions:filesystem, src/hunt.js:364-384 Shell Block
Declared NONE
→ Inferred WRITE
git clone in src/hunt.js:401, node --self-test in src/hunt.js:343 Network Block
Declared NONE
→ Inferred READ
fetchclawhub.com API in src/hunt.js:220-234 Skill Invoke Block
Declared NONE
→ Inferred WRITE
spawnSync调用外部report.js in src/hunt.js:760 Suspicious artifacts and egress
Medium External URL
https://clawhub.com/api/v1/skills/trending?limit=30 src/hunt.js:16
Medium External URL
https://clawhub.com/api/v1/skills?sort=trending&limit=30 src/hunt.js:17
Medium External URL
https://clawhub.com/api/v1/skills?limit=30 src/hunt.js:18
Medium External URL
https://clawhub.com/api/v1/skills/search?q= src/hunt.js:22
Medium External URL
https://clawhub.com/api/v1/skills?q= src/hunt.js:23
Medium External URL
https://clawhub.ai/wanng-ide/memory-mesh-core src/hunt.js:746
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| node | builtin | runtime | No | 使用Node.js内置模块无外部依赖 |
File composition
5 files · 1081 lines
JavaScript 1 files · 828 linesMarkdown 2 files · 224 linesJSON 2 files · 29 lines
Files of concern · 2
src/hunt.js 未声明的Git远程克隆执行 · 外部报告脚本调用未声明 · 安装策略存在文档-行为差异 · 访问会话文件读取用户消息 · 外部域名硬编码 · https://clawhub.com/api/v1/skills/trending?limit=30 · https://clawhub.com/api/v1/skills?sort=trending&limit=30 · https://clawhub.com/api/v1/skills?limit=30 · https://clawhub.com/api/v1/skills/search?q= · https://clawhub.com/api/v1/skills?q= · https://clawhub.ai/wanng-ide/memory-mesh-core
claw.json 权限声明与实际能力严重不符
Other files · README.md · SKILL.md · _meta.json
Security positives
使用--dry-run模式可安全预览不执行安装
--max-install参数限制安装数量防止批量污染
validateRunnableSkill自检机制降低安装无效技能风险
never overwrite existing skill folders保护现有技能
支持skip已安装技能避免重复