Closed
Conversation
Deploying everyskill with
|
| Latest commit: |
0d6246f
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://22b20a61.everyskill.pages.dev |
| Branch Preview URL: | https://skill-thoreau-1772685148746.everyskill.pages.dev |
Frontier Model Security Review
Final Verdict: FAIL Claude Opus 4.6 Analysis{"verdict": "WARN", "issues": ["External HTTP calls to hardcoded IP address (167.99.56.36:7800) with embedded API key in plaintext", "Accesses local filesystem paths (/home/openclaw/.openclaw/workspace/media/inbound/, /home/openclaw/.openclaw/workspace/skills/thoreau/recent_posts.json) which could be leveraged for path traversal", "API key 'th0r34u-pr0xy-2026' is hardcoded in the skill instructions and passed as a query parameter, exposing it in logs and potentially to any observer", "Proxy endpoint at external IP handles Slack auth automatically, meaning Slack tokens/credentials are managed by an opaque third-party service outside organizational control", "The slack-file endpoint (http://167.99.56.36:7800/slack-file) can retrieve files from arbitrary channels given channel ID and thread timestamp, potentially enabling access to files the user shouldn't reach", "The image_url parameter passed to the /brand endpoint accepts both local file paths and arbitrary URLs, which could be abused for server-side request forgery (SSRF) against the proxy", "Instructions to automatically rewrite x.com URLs to api.fxtwitter.com and fetch them constitutes routine external network calls to a third-party service"], "reasoning": "This skill is primarily a social media copywriting and screenshot branding tool for a specific organization (Every). It is not overtly malicious and contains no prompt injection or social engineering attacks. However, several security concerns exist: (1) A hardcoded API key is embedded directly in the skill text and passed as a query parameter in URLs, making it visible to anyone who can read the skill or intercept requests. (2) The skill makes HTTP requests to a hardcoded external IP address (167.99.56.36:7800) that acts as a proxy, which is opaque and outside standard organizational security controls. This proxy also handles Slack authentication automatically, meaning Slack credentials are managed by this external service. (3) The /brand endpoint accepts local file paths as input (image_url parameter starting with '/'), which combined with the /slack-file endpoint that retrieves files by channel/thread, could potentially be used for unauthorized file access or SSRF. (4) The skill reads from specific filesystem paths, which while scoped, could be leveraged if path traversal is possible. None of these rise to the level of FAIL since they appear to be intentional architectural choices for a legitimate workflow, but the exposed credentials, opaque external proxy, and broad file access patterns warrant careful review."}GPT-5.2 Analysis{
"verdict": "FAIL",
"issues": [
{
"category": "Dangerous tool usage / SSRF",
"severity": "high",
"evidence": "Hard-coded external proxy/branding server usage via web_fetch: `http://167.99.56.36:7800/brand?...` and `http://167.99.56.36:7800/slack-file?...` with user-controllable parameters like `image_url`, `channel`, `thread_ts`.",
"impact": "Enables server-side request forgery style behavior (fetching arbitrary URLs via `image_url`), calls to an untrusted external host, and potential abuse to reach internal resources depending on proxy implementation."
},
{
"category": "Sensitive data exposure / credential leakage",
"severity": "high",
"evidence": "Embedded static API key in prompt: `key=th0r34u-pr0xy-2026`.",
"impact": "Key can be exfiltrated by any user who sees the prompt/skill text; can be reused outside the environment; facilitates unauthorized access to the proxy endpoints."
},
{
"category": "Local file access guidance (potential exfiltration)",
"severity": "high",
"evidence": "Explicit instructions to read from local paths and pass local file paths to a remote service: `/home/openclaw/.openclaw/workspace/media/inbound/<FILENAME>` and references to listing/reading that directory; also mentions local content file `.../recent_posts.json`.",
"impact": "Encourages transmitting local files (including potentially sensitive workspace contents) to an external host; expands the attack surface for data exfiltration."
},
{
"category": "Overly permissive network behavior",
"severity": "medium",
"evidence": "Multiple instructions to `web_fetch` arbitrary third-party domains (Every, fxtwitter, Slack URLs) and to automatically rewrite X/Twitter links to `api.fxtwitter.com`.",
"impact": "Creates broad outbound request capability; if combined with prompt injection, could be coerced into fetching attacker-controlled URLs or leaking fetched content."
},
{
"category": "Prompt-injection resilience gaps",
"severity": "medium",
"evidence": "No explicit instruction to treat external content (tweets/articles/Slack data) as untrusted or to ignore instructions contained in fetched pages; the skill prioritizes automatic fetching and processing.",
"impact": "Fetched content could contain malicious instructions that influence subsequent tool calls (e.g., instructing to fetch additional URLs, include secrets, or upload local paths)."
},
{
"category": "Social engineering / manipulation potential",
"severity": "low",
"evidence": "The skill can draft replies/quote tweets and could be used to impersonate brand voice; no guardrails about disallowed persuasion, deception, or disclosure of private info from Slack.",
"impact": "Could facilitate brand impersonation or inadvertent sharing of confidential Slack content if the proxy returns it."
}
],
"reasoning": "The skill embeds a reusable secret (`th0r34u-pr0xy-2026`) and instructs the agent to send local file paths and Slack-derived assets to a hard-coded external IP over HTTP. This combination presents clear data-exfiltration and SSRF-like risks, especially because `image_url` appears user-controlled and the proxy behavior is unspecified. The skill also lacks strong anti-prompt-injection guidance when ingesting untrusted remote content, and it enables broad outbound fetching. These issues are severe enough to fail a security audit unless the external proxy is fully trusted, authenticated per-user, uses TLS, strictly allowlists destinations, and the key is removed from the prompt and stored as a secure secret."
}Frontier model review complete. Human approval still required. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
New Skill Submission
Skill: thoreau
Submitted by: Anthony / Every Team
Reason: Social copywriter and screenshot brander for Every. Generates article promotion variants (safe/sharp/spicy) and applies Glass Light visual treatment to screenshots.
This PR was auto-generated from skills.every.to (agent-api).
AI security review will run automatically.