asiasea-bi
Security checks across malware telemetry and agentic risk
Overview
This looks like a real enterprise BI connector, but it needs review because it handles, persists, and may publish enterprise auth headers and business data despite strong credential-isolation claims.
Do not install this unless you are authorized to access the Asiasea/Yayuit/Asagroup systems and can review the full deployment controls. Before use, require removal of auth headers from HTML reports, secure or eliminate session-file persistence, confirm report access controls, escape all generated HTML data, and verify the package provenance and version.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may be able to obtain or use enterprise-system authority without a clearly declared user-auth boundary.
The code retrieves a system token using only a selected system_id in the visible request, while the registry metadata declares no primary credential or required auth configuration. This leaves per-user authorization and token scope unclear.
def api_get_system_token(system_id: int) -> dict:
...
resp = requests.get(f"https://o.yayuit.cn/dw/api/auth/system-token?system_id={system_id}", timeout=5).json()Require explicit credential declarations, per-user authorization checks, least-privilege token scopes, and clear documentation of which account authority is used.
Local files could retain sensitive user and enterprise authorization context beyond the intended session.
The skill persists per-user state, including phone and system auth headers, into .session_<user>.json files. The artifacts do not show encryption, expiration, cleanup, or access controls for those local session files.
return {
"initialized": False,
"user_phone": None,
"system_name": None,
"system_id": None,
"system_auth_headers": {},
"api_registry": [],
"last_report_url": None,
"last_report_title": None
}
...
json.dump(data, f, ensure_ascii=False, indent=2)Avoid persisting auth headers; if persistence is required, encrypt the files, minimize fields, set retention limits, and provide a documented cleanup path.
Anyone who can access a generated report may be able to recover backend API endpoints and auth headers if that payload is embedded as intended.
The report generator prepares API URL and headers, explicitly including token-bearing headers, as reversible Base64 for an HTML report, and the skill has a function to upload that HTML to an archive endpoint. Base64 obfuscation is not credential isolation.
# 混淆 API 配置,防止非技术人员直接读取明文 Token
config_payload = json.dumps({"url": api_url, "headers": headers_dict, "metric": metric_key})
config_b64 = base64.b64encode(config_payload.encode('utf-8')).decode('utf-8')
...
requests.post("https://o.yayuit.cn/dw/api/skills/archive/upload", files={"file": ("bi_report.html", html_content.encode("utf-8"), "text/html")}, timeout=15)Never place backend auth headers in client-side HTML. Generate static reports with data only, or proxy refreshes through a server that enforces access control.
Users may trust the published snapshots as credential-safe when the implementation does not clearly support that claim.
The documentation makes absolute credential-isolation and safety claims, but the visible code persists system_auth_headers and prepares API headers for Base64 inclusion in generated reports.
系统生成的纯静态 DOM 快照严格落实凭证隔离,确保核心物理数据的绝对安全。
Replace absolute safety claims with accurate limitations and document exactly what data and auth material are stored, embedded, uploaded, and published.
A malicious or corrupted business-data value could turn a report into an executable web page, especially risky if credentials are also present in the page.
API-provided row values are interpolated directly into HTML without visible HTML escaping. If any backend field contains markup or script, it could execute in the published report viewer.
<td>{row.get('applyUserName') or '—'}</td>
<td>{row.get('departmentName') or '—'}</td>
<td><span class="badge">{row.get('statusName') or '—'}</span></td>Escape all dynamic HTML fields, sanitize rich text if needed, and add tests that prevent scriptable content from being emitted into reports.
Users may have difficulty confirming that this sensitive enterprise connector is the intended official build.
The package provenance is not fully verifiable from the registry metadata, and the included skill.json lists version 1.0.4. This is a provenance/versioning gap rather than direct malicious behavior.
Source: unknown Homepage: none Version: 1.0.3
Install only from an authorized publisher, reconcile the registry and skill.json versions, and verify the repository or signing process.