ClawHub
Back to skill

Security audit

Bailian Usage Proxy

Security checks across malware telemetry and agentic risk

Overview

This is a plausible usage-tracking proxy, but it exposes powerful user-management and reporting functions without clear access control.

Install only in a controlled environment. Do not expose the proxy or admin routes publicly until you add admin authentication, restrict network access, protect the upstream Bailian API key, rotate any keys printed during setup, and decide what usage metadata or model traffic the proxy is allowed to retain.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The administrative endpoints for creating users, listing users, retrieving user details, and viewing usage reports/health are exposed without any authentication or authorization checks. An unauthenticated attacker could create arbitrary accounts and API keys, enumerate users, and access organization-wide usage data, which is especially dangerous in a shared-account proxy because it directly undermines quota control, privacy, and cost governance.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The data model stores per-user API keys directly in the User table, which expands the system from usage accounting into credential management. In a multi-user proxy context, handling shared-account attribution data alongside active API credentials increases the blast radius of any data exposure, logging mistake, serialization bug, or admin endpoint leak.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
UserResponse includes api_key and will serialize it back to clients, which is a direct secret exposure issue. For a usage-statistics proxy, returning credentials is unnecessary for the stated purpose and could let any caller with access to this response impersonate users or abuse the upstream LLM service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs operators to copy a sample environment file and place a live 阿里百炼 API key into a local .env file, but it gives no warning about secret handling, file permissions, accidental commits, or safe storage. In a shared-account proxy context, that key likely has broad access to upstream model usage, so careless handling can expose all users' traffic and quotas.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The deployment instructions tell operators to place the primary Bailian account key into a local .env file but provide no warning about secure storage, least-privilege handling, log exposure, or accidental commits. For a shared-account proxy, compromise of that upstream credential could allow unauthorized model usage, billing abuse, and loss of control over all proxied traffic.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes transparent API proxying and per-user usage logging, but it does not warn users that requests, metadata, and potentially sensitive prompts may be observable by the proxy operator. In a workplace shared-account setting, this increases privacy and confidentiality risk because employees may assume they are only interacting with the upstream model provider, not an internal monitoring intermediary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints the newly generated API key directly to stdout, which can expose credentials through terminal history, shell logging, CI/CD logs, remote session recording, or shared admin consoles. In a multi-user or enterprise environment, this can lead to unauthorized use of the proxy under another user's identity and bypass intended quota/accountability controls.

Missing User Warnings

High
Confidence
97% confidence
Finding
The startup script auto-creates an administrator account on first run and prints the generated API key directly to stdout. This exposes a privileged credential to shell history, terminal logs, CI/CD logs, or shared admin consoles, which is especially dangerous for a service explicitly designed for multi-user quota management because the key likely grants broad access over user management and usage data.

Missing User Warnings

High
Confidence
95% confidence
Finding
The fallback logic uses `pgrep -f "app.main" | head -1` and then forcefully kills the first matching process, which can misidentify unrelated processes whose command line happens to contain that pattern. In a shared environment, this can terminate the wrong service or another user's workload, causing denial of service and making the skill context more dangerous because it is designed for multi-user shared account operations.

Credential Access

High
Category
Privilege Escalation
Content
cd skills/bailian-usage-proxy

# 配置环境变量
cp .env.example .env
# 编辑 .env 填入你的阿里百炼 API Key

# 启动服务
Confidence
82% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# 配置环境变量
cp .env.example .env
# 编辑 .env 填入你的阿里百炼 API Key

# 启动服务
./start.sh
Confidence
82% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal