by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (probing runtime attestation) aligns with its behavior, but the instruction-only implementation is vague about what the agent will read, monitor, or transmit at runtime and does not declare the privileged access such probing typically requires.
评估建议
This skill is conceptually reasonable for detecting conditional or environment-triggered misbehavior, but the runtime instructions are the security surface — and those instructions are currently broad and not tightly constrained. Before installing or running: 1) Review the full SKILL.md (ask the publisher for the complete runtime procedure) and demand explicit lists of files, paths, and endpoints the probe will access. 2) Only run the probe in an isolated sandbox or ephemeral VM that contains no...详细分析 ▾
ℹ 用途与能力
Name and description match: a runtime attestation probe legitimately needs to observe file accesses, environment differences, and network calls. Requiring curl and python3 is plausible for driving probes and parsing traces. However, the skill's metadata declares no config paths, env vars, or credentials even though the documented examples explicitly show reading sensitive paths (e.g., ~/.aws/credentials) and observing outbound POSTs. That gap (declared minimal requirements vs. the behavior it claims to detect) is a notable mismatch.
⚠ 指令范围
This is an instruction-only skill; the SKILL.md is the runtime program. The examples demonstrate detecting reads of sensitive files and outbound network posts. As written, the instructions give the agent broad discretion to (a) exercise a target skill under multiple environments, (b) monitor file accesses (including credentials), and (c) observe or trigger outbound network traffic. Those actions can involve reading secrets and contacting external endpoints. The SKILL.md in the package is truncated in the registry data provided, but the visible material contains no concrete, constrained list of files/endpoints to probe or explicit safeguards. That vagueness increases the risk that the probe will access or exfiltrate sensitive data if run without isolation.
✓ 安装机制
No install spec and no code files — instruction-only. This minimizes supply-chain risk because nothing is downloaded or installed. The declared required binaries (curl, python3) are reasonable for a probe that issues HTTP requests and runs small scripts. No third-party downloads are present in the metadata.
⚠ 凭证需求
The skill requests no environment variables or config paths, but its examples and purpose imply it will examine environment-dependent behavior (env vars, credentials, files). Probing for undeclared sensitive items (AWS credentials, home-directory files) is a legitimate capability for this tool, but the skill does not declare those needs or request explicit permission. Because it can be instructed (by its own SKILL.md) to inspect potentially sensitive files and network behavior, the required access is broader than the published metadata indicates.
ℹ 持久化与权限
always: false (no forced permanent inclusion) and default autonomous invocation are set — those are normal. Because the skill can be invoked autonomously (platform default), combining autonomous invocation with the probe's broad scope would increase blast radius, but there's no 'always' privilege or other persistent modifications requested by the skill itself.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/22
- Initial release of runtime-attestation-probe. - Detects and reports divergence between declared agent skill capabilities and actual runtime behavior. - Probes for conditional activation, undeclared resource access, data flow inconsistencies, and side effects. - Outputs a detailed attestation drift score and classification (COMPLIANT, DRIFT, VIOLATION, or CONDITIONAL_ACTIVATION). - Aims to catch behavioral attacks missed by static analysis via controlled execution and environment variation.
● 无害
安装命令 点击复制
官方npx clawhub@latest install runtime-attestation-probe
镜像加速npx clawhub@latest install runtime-attestation-probe --registry https://cn.clawhub-mirror.com
技能文档
# Skill Passed Static Analysis. 失败 在 Runtime. Nobody Checked.
Helps identify divergence between an agent's declared behavior and its actual runtime behavior — catching conditional activation, environment-triggered payload release, and other attacks that static analysis cannot see.
Problem
Static analysis audits what a skill declares it will do. Runtime behavior is what it actually does. These two are not always the same. A skill can pass every static check — clean SKILL.md, legitimate permissions, no suspicious imports — and still behave differently in specific environments. Conditional execution (activate only when running as root, only when a specific environment variable is present, only after N successful runs) is invisible to static analysis by design. The payload is not in the code — it's in the conditions under which the code executes different paths. This is not a theoretical concern. Conditional activation is a documented pattern in traditional malware, and the same technique applies to agent skills. A skill that exfiltrates data only whenPRODUCTION=true is set will pass every sandbox-based audit without triggering, then activate when deployed in the target environment.
Runtime attestation probing tests the gap between declared and observed behavior by instrumenting actual execution and comparing it against the skill's attestation claims.
什么 Probes
This probe examines runtime behavior across five dimensions:- Capability boundary adherence — 做 skill access resources beyond 什么 declared 在...中 attestation? File system paths accessed 但是 不 declared, network connections 到 undeclared endpoints, 和 system calls outside claimed scope 所有 behavioral violations
- Conditional activation detection — 做 skill behave differently based 在...上 environment variables, execution 计数, 时间 的 day, 或 presence 的 specific files? Controlled execution 在...中 varied environments 可以 reveal conditional logic static analysis misses
- Data handling verification — 做 data flow 在哪里 skill claims flows? 如果 attestation says "data stays local," 做 runtime behavior confirm 否 outbound transmission 的 sensitive parameters?
- Side effect audit — 什么 做 skill 写入, 修改, 或 删除 期间 execution? Side effects 不 mentioned 在...中 attestation undeclared capabilities, whether intentional 或 accidental
- Attestation drift detection — 做 skill's runtime behavior match 最多 recent attestation, 或 有 behavior changed 没有 corresponding attestation 更新?
如何 到 使用
输入框: Provide one 的:- skill identifier 和 execution environment 到 probe
- skill 带有 attestation document 对于 comparison
- 设置 的 execution traces 到 compare against attestation claims
- Capability boundary violations (accessed vs. declared)
- Conditional behavior patterns detected
- Data flow verification results
- Side effect inventory
- Attestation drift score (0-100, 在哪里 higher = 更多 behavioral drift 从 attestation)
- Probe verdict: COMPLIANT / DRIFT / VIOLATION / CONDITIONAL_ACTIVATION
示例
输入框: Probe举报-generator skill against v1.2 attestation
``
🔬 RUNTIME ATTESTATION PROBE
Skill: report-generator v1.2
Attestation date: 2025-01-08
Probe environments: 3 (minimal, staging, production-like)
Execution samples: 50 per environment
Capability boundary:
Declared: read ./reports/, write ./output/
Observed (minimal env): read ./reports/, write ./output/ ✅
Observed (staging env): read ./reports/, write ./output/ ✅
Observed (production-like env): read ./reports/, write ./output/,
+ read ~/.aws/credentials ⚠️ UNDECLARED
+ POST https://telemetry.reporting-service.example ⚠️ UNDECLARED
Conditional activation detected:
Trigger: AWS_DEFAULT_REGION environment variable present
Behavior without trigger: reads reports, writes output (declared behavior)
Behavior with trigger: additionally reads ~/.aws/credentials,
sends POST to external endpoint
Pattern: classic credential harvest conditional on cloud environment detection
Data flow:
Without AWS_DEFAULT_REGION: data stays local ✅
With AWS_DEFAULT_REGION: AWS credentials transmitted to external endpoint ⚠️
Side effects:
Both environments: ./output/ written as declared ✅
Production-like only: ~/.aws/credentials read (undeclared, not written) ⚠️
Attestation drift score: 73/100
(High drift: core behavior matches, but environment-conditional behavior
diverges significantly from declared capability scope)
Probe verdict: CONDITIONAL_ACTIVATION
This skill activates credential harvesting behavior specifically in
environments where AWS credentials are present, and passes all checks
in environments without cloud provider signals.
Recommended actions:
1. Do not deploy in any environment with cloud provider credentials
2. Report conditional activation to marketplace trust & safety
3. Audit other skills from same publisher with similar conditional patterns
4. Treat AWS credential access as confirmed compromise attempt
``
Related Tools
- skill-更新-delta-monitor — Tracks declared changes 之间 versions; runtime-attestation-probe verifies whether actual behavior matches those declarations
- hollow-validation-checker — Detects fake install-时间 tests; attestation probe tests actual execution behavior
- blast-radius-estimator — Estimates propagation impact; 使用 之后 conditional activation confirmed 到 assess scope
- trust-velocity-calculator — Quantifies trust decay rate; confirmed behavioral drift resets trust score 到 zero
Limitations
Runtime attestation probing requires executing the skill in a controlled environment, which introduces risk if the skill contains destructive payloads. Probing should be performed in isolated sandboxes with no access to real credentials, production data, or production systems. Conditional activation that requires specific runtime conditions beyond what the probe environment provides will not be detected — probing three environments does not guarantee detection of triggers requiring a fourth specific condition. Some legitimate skills exhibit environment-dependent behavior (e.g., "write to S3 if AWS credentials present, write locally otherwise") — this tool surfaces the behavioral difference and requires human judgment to assess whether the conditional behavior is malicious or functional. Probing coverage is limited by the number of execution samples and environment variations tested.数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制