📦 Morgana Mordred Security Sandbox — 安全沙箱训练
v2.0.0专为AI智能体打造的交互式安全实训沙箱,内置5套含注释漏洞与修复示例的脆弱系统,可安全演练渗透测试与防御加固,快速提升安全技能。
0· 81·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to implement an offline security lab, but it contains several implementation choices that require caution:
- Do NOT run these scripts on a production host or in a privileged environment. The test runner and vulnerable systems execute shell commands, eval(), and arbitrary file reads/writes. Run only inside an isolated VM or Docker container with no access to sensitive mounts.
- Inspect and change SANDBOX_PATH in src/mordred_runner.py before running. It is hardcoded to /media/...详细分析 ▾
⚠ 用途与能力
Name/description claim an offline training sandbox and the included files implement that. However mordred_runner hardcodes SANDBOX_PATH to /media/ezekiel/... and will write logs and results to that absolute path instead of using the skill directory or a configurable path. That absolute path is unrelated to the skill metadata and suggests the code expects access to a specific user's filesystem — disproportionate to a shipping skill. The rest of the required capabilities (running tests, executing local Python files) are consistent with a sandbox, but the hardcoded paths and embedded 'SECRETS' constants (data_leak contains fake API keys/private_key/PII) are questionable for distribution.
⚠ 指令范围
SKILL.md instructs agents to run the provided Python test runner and vaccine scripts. The code invoked will execute arbitrary code: weak_sandbox exposes eval() and subprocess.run(shell=True), prompt_injection demonstrates injection strings, data_leak returns secrets defined in-code, and run_all tests execute each system via subprocess.run. Those behaviors are expected for a vulnerability lab, but the instructions give the agent permission to run those dangerous operations on whatever host it is invoked from — there's no explicit insistence in SKILL.md that this must be run only in an isolated container or VM (the failures section mentions Docker as a solution, but not as a hard requirement). Also the SKILL.md contains many prompt-injection example strings (e.g., 'ignore previous instructions', 'you are now') — these are present as examples and may trigger scanners; they are not runtime instructions to the evaluator but could be misused.
ℹ 安装机制
No install spec (instruction-only) — lower installation risk in general. However the skill includes 11 code files that the agent may execute directly. There are no downloads or external package installs in the manifest, which is good, but executing the included code still grants the code host privileges (file I/O, process execution).
⚠ 凭证需求
The skill declares no required env vars or credentials, which matches the manifest. Despite that, the runner writes to an absolute SANDBOX_PATH (/media/ezekiel/Morgana/...), creating/using directories outside the skill folder; this is disproportionate and unexpected. The code also contains hardcoded 'SECRETS' and 'SESSION_TOKEN' constants embedded in data_leak and flawed_auth — those are test data but could confuse users or be mistaken for real secrets. Several modules (weak_sandbox, race_condition) provide functions that can read/write arbitrary files and run shell commands; these require host-level filesystem and process access that goes beyond a simple read-only demo.
ℹ 持久化与权限
The skill is not always:true and does not declare persistent privileges. It does, however, modify and write to host filesystem locations (logs/results) when run. Some vaccine code (vaccine_weak_sandbox) temporarily replaces builtins.__dict__ and later restores it — that manipulation affects the running process and could have side effects if not restored correctly. There is no code that modifies other skills or agent configuration, but the absolute path writes and builtins replacement are privileged actions relative to a benign instruction-only skill.
⚠ src/systems/weak_sandbox.py:4
Dynamic code execution detected.
⚠ vaccines/vaccine_weak_sandbox.py:116
Dynamic code execution detected.
⚠ SKILL.md:179
Prompt-injection style instruction pattern detected.
⚠ skills/security-analysis.md:134
Prompt-injection style instruction pattern detected.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.02026/4/8
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install morgana-mordred-security-sandbox
镜像加速npx clawhub@latest install morgana-mordred-security-sandbox --registry https://cn.longxiaskill.com