os.system() or os exec-family call
High
- Category
- Dangerous Code Execution
- Content
print(f" $ {cmd}") print() ret = os.system(cmd) if ret != 0: fail("依赖安装失败,请检查网络连接") info("可以手动运行: " + cmd)- Confidence
- 91% confidence
- Finding
- ret = os.system(cmd)
OpenDao 老子智能体
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Laozi Q&A skill is mostly purpose-aligned, but it under-discloses external AI data flows, stores credentials in plaintext, exposes logs through the web UI, and performs broad setup-time environment changes.
Review before installing. Use a virtual environment, avoid entering sensitive prompts, assume OpenAI/Hugging Face modes may send questions and retrieved text to third parties, do not expose the Gradio UI on an untrusted network, protect or avoid the .env file, and disable or restrict log viewing if multiple users can access the app.
SkillSpector (22)
By NVIDIA
Context-Inappropriate Capability
Medium
- Confidence
- 96% confidence
- Finding
- The UI exposes the last 30 lines of the application log to any user of the Gradio interface. Those logs may contain user prompts, model responses, internal errors, filesystem paths, and potentially secrets or operational details, which are unrelated to a Tao Te Ching Q&A skill and increase information disclosure risk.
Context-Inappropriate Capability
Low
- Confidence
- 80% confidence
- Finding
- The custom dotenv loader imports every key from a local .env file into process environment variables without allowlisting. While common in development, this broad configuration loading can unintentionally introduce sensitive settings into runtime scope and expand the blast radius if other code later exposes or misuses them.
Context-Inappropriate Capability
Medium
- Confidence
- 94% confidence
- Finding
- The skill initializes OpenAI embeddings and a ChatOpenAI model using environment-driven configuration, which means user questions and retrieved content are transmitted to an external provider. That outbound data flow is security-relevant and is not reflected in the provided skill metadata, so users and operators may be unaware that their prompts and knowledge-base content leave the local environment.
Context-Inappropriate Capability
Medium
- Confidence
- 90% confidence
- Finding
- This setup flow requests third-party credentials such as OPENAI_API_KEY and HF_TOKEN and later persists them locally, which is broader than a Tao Te Ching Q&A skill's declared end-user purpose. In context, this increases risk because the installer handles secrets directly and encourages users to provide them without clear storage or exposure warnings.
Description-Behavior Mismatch
Medium
- Confidence
- 93% confidence
- Finding
- The manifest describes a philosophical Q&A skill, but this file performs environment provisioning and package installation with shell execution. That mismatch is security-relevant because it introduces privileged local system modifications and network package retrieval that users may not expect from the stated skill behavior.
Vague Triggers
Medium
- Confidence
- 84% confidence
- Finding
- The trigger list is broad and based on common philosophical terms such as '老子', '道家', and '无为', with no exclusion conditions or confidence thresholds. This can cause unintended activation in unrelated conversations, leading the agent to assume an inappropriate persona or invoke retrieval/code-backed behavior when the user did not intend to use this skill.
Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The OpenAI-based mode requires an API key and sends user prompts and possibly retrieved knowledge-base content to an external model provider, but the markdown does not disclose this data flow. Users may unknowingly submit sensitive content under the assumption that processing is local, creating privacy and compliance risks.
Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The code logs the user message, generated answer, sources, and timing via log_query, but the UI does not clearly disclose that conversation content is being retained in logs. This creates a privacy risk because users may share sensitive questions, and those contents could later be exposed through files or the built-in log viewer.
Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- User conversation content is sent to HuggingFaceHub for remote inference, but the interface does not present a visible disclosure or consent notice. This matters because prompts and retrieved context may contain personal or sensitive information, and sending them to a third-party service changes the data exposure model.
Missing User Warnings
Medium
- Confidence
- 88% confidence
- Finding
- The troubleshooting guide instructs users to run `rm -rf laozi_knowledge_base/` without any warning that this irreversibly deletes local data. In an operational setting, users may execute it blindly and lose indexed content or custom data, causing avoidable service disruption and data loss.
Missing User Warnings
Medium
- Confidence
- 85% confidence
- Finding
- The document tells users to identify a process and run `kill <PID>` without caution about terminating the wrong process. This can interrupt unrelated services or production workloads if the PID is misidentified, especially on shared hosts.
Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The guide recommends privileged `sudo` commands to create and enable swap without warning that this changes system-level memory and storage configuration. On constrained or managed systems, this can consume disk unexpectedly, violate admin policy, or destabilize the host if applied incorrectly.
Missing User Warnings
Low
- Confidence
- 91% confidence
- Finding
- The README instructs users to configure an OpenAI API key and use a hosted model, but it does not disclose that prompts, retrieved text, and possibly conversation content will be transmitted to an external third-party service. This creates a transparency and privacy risk because users may unknowingly send sensitive queries or source material off-host.
Vague Triggers
Medium
- Confidence
- 87% confidence
- Finding
- The activation list includes broad, common concepts such as “无为”, “道论”, and “德论”, which can appear in ordinary philosophical, literary, or cultural discussions unrelated to this skill. This can cause unintended invocation and route user content into the skill unexpectedly, increasing the chance of irrelevant responses or accidental data exposure to the skill’s downstream components.
Missing User Warnings
Medium
- Confidence
- 94% confidence
- Finding
- The skill states that it uses a HuggingFace free inference API for the LLM but does not clearly disclose to users that prompts or retrieved content may be sent to an external service. This creates a real privacy and compliance risk because users may provide sensitive queries under the assumption that processing is fully local, while the skill actually transmits data off-device.
Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The manual instructs users to delete the entire local vector database with `rm -rf ./laozi_knowledge_base` before rebuild, but does not explicitly warn that this permanently removes locally stored indexed data. In a deployment or shared environment, a user may execute it without understanding the data-loss consequence, causing accidental destruction of persisted knowledge-base state.
Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The script embeds all loaded local documents using OpenAIEmbeddings, which transmits document text to an external service. Because the usage text and module docstring do not warn operators that local corpus contents will leave the local machine, users may unknowingly upload sensitive notes, annotations, or copyrighted material into a third-party API.
Missing User Warnings
Low
- Confidence
- 84% confidence
- Finding
- The script depends on OpenAIEmbeddings, which typically requires API credentials and related environment configuration, but the setup instructions do not disclose that requirement. This can lead users to improvise insecure key handling or misconfigure secrets when trying to make the script work.
Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The logger persists user questions, source references, and detailed exception content to disk, which can capture sensitive user inputs, internal paths, stack traces, or secrets embedded in error messages. In a RAG-based conversational system handling free-form user queries, this increases privacy and data exposure risk if log files are accessed by other users, included in backups, or retained longer than expected.
Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The laozi_skill function sends the user's question into a RetrievalQA chain backed by ChatOpenAI/OpenAIEmbeddings without any warning at the point of use. In a RAG system, this can expose not only the user's prompt but also retrieved document fragments and conversation history to an external API, creating privacy and data-handling risk if the user assumes the skill is purely local.
Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The script writes API keys and tokens to a local .env file in plaintext without any explicit warning about sensitive local storage. This is dangerous because secrets may be exposed through weak filesystem permissions, backups, shell tooling, accidental commits, or other local processes reading the file.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.