安全决策报告
ai-beauty
The skill makes undisclosed outbound network requests to verify its token against a remote server before downloading an opaque binary, contradicting the Chinese documentation claim that all processing is local.
最直接的威胁证据
高危 文档欺骗
Contradictory claim of local-only processing The Chinese documentation prominently states '全程本地处理您的照片,不上传到任何服务器' (all photo processing is done locally, not uploaded to any server). However, init.py sends the BITSOUL_TOKEN to info.aicodingyard.com/api/download_file to obtain a download URL on every initialization, and the downloaded binary is then executed with the token as a command-line argument. This is a direct doc-to-code mismatch.
SKILL.md:8 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Doc-to-code mismatch on network behavior +20
SKILL.md Chinese section claims '全程本地处理您的照片,不上传到任何服务器' (all processing is local), yet init.py sends the BITSOUL_TOKEN to info.aicodingyard.com for verification before every binary download
Undeclared network access +15
Metadata declares only info.aicodingyard.com as network access, but the token is sent as a query parameter to /api/download_file with no HTTPS enforcement
Unverified binary download and execution +10
BitSoulBeauty.exe is downloaded from the remote server and then executed via shell, with no hash verification or signature check
Unpinned dependency +5
requests package has no version pin, allowing any version including vulnerable ones
No HTTPS enforcement +5
BASE_URL uses http:// not https://, exposing token in transit
最关键的证据
高危 文档欺骗
Contradictory claim of local-only processing
The Chinese documentation prominently states '全程本地处理您的照片,不上传到任何服务器' (all photo processing is done locally, not uploaded to any server). However, init.py sends the BITSOUL_TOKEN to info.aicodingyard.com/api/download_file to obtain a download URL on every initialization, and the downloaded binary is then executed with the token as a command-line argument. This is a direct doc-to-code mismatch.
SKILL.md:8 Remove the false local-processing claim or replace with an accurate description of the token verification and binary download flow
高危 数据外泄
Token transmitted in plaintext HTTP GET request
The BITSOUL_TOKEN is sent as a URL query parameter ('token_key') over HTTP to info.aicodingyard.com. This exposes the user's credential in plaintext on the network, vulnerable to interception.
BitSoulFaceBeautySkill/init.py:14 Use HTTPS and ensure the server validates TLS certificates properly. Consider using POST with a request body instead of query parameters.
中危 供应链
No integrity verification for downloaded binary
BitSoulBeauty.exe is downloaded from the remote server on every init (when missing) with no hash verification, signature check, or pinned version. The binary is then executed via shell with the token as an argument, giving it arbitrary code execution capability.
BitSoulFaceBeautySkill/init.py:43 Pin the binary's SHA256 hash in the source code and verify it after download. Document the binary's provenance.
中危 凭证窃取
Token passed as command-line argument
The BITSOUL_TOKEN is passed as a shell command-line argument to BitSoulBeauty.exe. Command-line arguments are visible in process listings (/proc/PID/cmdline) and shell history, increasing exposure risk.
SKILL.md:75 Pass the token via environment variable instead of command-line argument.
低危 供应链
Unpinned requests dependency
The 'requests' package has no version constraint in the documentation, allowing any version to be installed including those with known vulnerabilities.
SKILL.md:39 Pin to a specific version: pip install requests==2.31.0
声明能力 vs 实际能力
网络访问 阻止
声明 READ
→ 推断 WRITE
init.py:14-19 — token sent as query param to remote API 文件系统 阻止
声明 NONE
→ 推断 WRITE
init.py:55 — writes downloaded BitSoulBeauty.exe to skill directory 命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:75 — executes BitSoulBeauty.exe binary with token as argument 可疑产物与外联
中危 外部 URL
http://info.aicodingyard.com BitSoulFaceBeautySkill/init.py:6
中危 外部 URL
https://www.aicodingyard.com SKILL.md:7
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| requests | * | pip (undeclared in code) | 否 | Version not pinned |
文件构成
2 个文件 · 270 行
Markdown 1 个文件 · 159 行Python 1 个文件 · 111 行
需关注文件 · 2
SKILL.md Contradictory claim of local-only processing · Token passed as command-line argument · Unpinned requests dependency · https://www.aicodingyard.com
BitSoulFaceBeautySkill/init.py Token transmitted in plaintext HTTP GET request · No integrity verification for downloaded binary · http://info.aicodingyard.com
安全亮点
No obfuscated code or base64-encoded payloads found
No direct reverse shell or arbitrary code execution via Python
No access to sensitive filesystem paths like ~/.ssh or ~/.aws
No iteration over os.environ for credential harvesting
No embedded scripts from external URLs beyond the documented binary download
Skill is contained to a single init.py with readable, straightforward logic