📦 Capability Scope Expansion Watcher — 权限膨胀监控
v1.1.0持续跟踪技能版本更新,自动识别其声明权限的渐进式扩张,防止最小变更偷偷获取更大范围访问权,保障系统安全。
0· 497·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose and required tools (curl, python3) are plausible, but the runtime instructions are ambiguous about filesystem and environment access (including a worrying line that it 'has the whole filesystem'), which could allow reading sensitive files or resolving secrets unless constrained — request clarification before installing.
评估建议
This skill's goal is reasonable, but the SKILL.md is ambiguous about exactly what files and environment data it will read. Before installing or enabling it: (1) Ask the author to clarify what paths and APIs the watcher will access (e.g., skill manifests only vs. arbitrary /etc or user home files). (2) Confirm it will not read runtime environment variables or secrets unless explicitly authorized; if env reads are required, require a narrow allowlist. (3) Run it in a restricted/sandboxed environme...详细分析 ▾
✓ 用途与能力
The name/description (detecting incremental permission drift across versions) aligns with the declared requirements: curl and python3 are reasonable for fetching version metadata and running analysis. However, the SKILL.md includes the line 'Your Skill Started with File Read. Now It Has the Whole Filesystem.' that implies an assumed broad file read capability which is not explicitly declared or scoped.
⚠ 指令范围
SKILL.md describes analyzing per-version manifests, changelogs, and 'environment variable resolution' but does not specify how those artifacts are retrieved or what file paths will be read. The ambiguous header suggesting full filesystem access is especially concerning: instructions permit (or at least assume) reading arbitrary installed-skill files and possibly other configuration files. Without explicit limits, the watcher could be run in ways that read secrets, credentials, or sensitive configs.
✓ 安装机制
No install spec and no code files — the skill is instruction-only. This minimizes supply-chain risk (nothing is downloaded or written during install).
ℹ 凭证需求
The skill requests no environment variables (good). But the feature set includes detecting 'environment variable resolution' and 'resolve secrets from environment variables' as analysis targets; it's unclear whether the watcher intends to read runtime environment values on the host. If it does, that would be disproportionate and high-risk. Confirm whether runtime env access or secret reads are required and, if so, why.
✓ 持久化与权限
always: false and no install-time persistence specified. The skill does not request permanent presence or modify other skills' configuration per the provided metadata.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/2/23
**Adds risk-class contradiction detection to scope expansion analysis.** - Introduces detection of mismatches between a skill’s self-declared risk category and its actual capability footprint. - Updated capability list to include `risk-class-contradiction-detection`. - Documentation now describes how risk-class contradiction is used as an additional security signal. - No functional changes beyond enhanced reporting and analysis.
● 无害
安装命令
点击复制官方npx clawhub@latest install capability-scope-expansion-watcher
镜像加速npx clawhub@latest install capability-scope-expansion-watcher --registry https://cn.longxiaskill.com
技能文档
帮助识别那些随版本逐步扩大 capability 范围的技能——从最初声明的意图到攻击面的缓慢漂移,任何一次更新单独看都不明显。
问题
capability 范围扩张很少一蹴而就。一个技能在 v1.0 声明“读取 /app/data/”,并不会在 v1.1 突然变成“读取 /”。相反,扩张是渐进式的: v1.1 出于看似正当的理由增加一个子目录, v1.2 再增一个, v1.3 开始解析可能指向任意位置的环境变量。 到 v1.6,其有效文件访问范围已覆盖整个文件系统——但任何一次版本变更都小得不足以触发审查。
这就是“慢漂移”攻击模式。 每一步单独看都可自圆其说;每个版本的变更日志都给出了看似合理的业务理由;审计人员单独检查任意相邻版本,都会认为变更合理。只有把完整版本历史拉通对比——v1.0 到 v1.6——才能看出累积的 scope 扩张。
当 capability 范围与行为范围同步扩张时,问题更加严重。 一个最初只是简单数据格式化的技能,在六轮“听起来合理”的改进之后,可能已能:
- 读取任意配置文件
- 从环境变量解析机密
- 向用户可配置的远端端点发起出站 HTTP 请求
没有任何单一功能添加让这一点显而易见,但组合起来却形成新的攻击路径。
增量式 scope 扩张比一次性权限申请更难检测,因为它利用了“对小变化注意力低”的心理。 安装时直接索要完整文件系统权限会立刻引发审查;同样的权限拆成十二次更新就可能完全逃过审查。
本工具监控什么
该 watcher 从五个维度审视 capability 范围的增量扩张:
- 累积权限漂移——从技能初始版本到当前版本,总权限范围扩大了多少?单版本过渡可能看似合理,而累积漂移却很可观。 watcher 计算总 scope 变化,而非边际变化。
- 步长异常——扩张是否以规律的小步进行,暗示一种有计划的增量策略,而非真实功能开发应有的不规则步幅?多版本持续小扩张比偶发大扩张更可疑。
- 行为 scope 与声明 scope 的一致性——基于权限集合与声明函数,技能的有效 capability 是否在各版本中始终与其宣称目的一致?声明目的与有效 capability 之间的漂移是重要信号。
- Capability 组合放大——当把累积权限放在一起看时,是否产生了早期版本不具备的 emergent capability?分别获得文件读取与网络外发可能只在二者同时具备时才形成数据外泄通道。
- Scope 变更的变更日志完整性——每个扩大 capability scope 的版本,是否都在日志中明确声明了该扩张?静默扩张(日志仅提及“修复 bug”而权限扩大)比公开声明的扩张风险更高。
- 风险等级自相矛盾检测 (v1.1)——技能的自声明风险分级是否与实际 capability 足迹匹配?一个被标为“低风险”或“只读工具”的技能,却申请网络权限、凭据访问或超出声明目的的文件系统范围,其分级就与 capability 矛盾。声明风险等级与实际 capability footprint 之间的差距本身就是安全信号——若风险等级决定披露要求,则此差距亦可成为攻击面。
如何使用
输入:提供以下任一
- 一个技能标识,追溯其跨版本的 capability scope 演变
- 特定版本区间,评估该时段内的累积扩张
- 某 agent 已安装技能列表,识别哪些技能已偏离最初 capability 声明最远
输出:一份 scope 扩张报告,包含
- 每版本权限增量(声明与观测)
- 自初始版本起的累积 scope 扩张
- 步长模式分析
- 行为 scope 一致性评估
- Capability 组合放大点
- 对变更 scope 的版本,其变更日志完整性
- 扩张裁决:STABLE / DRIFT / INCREMENTAL-EXPANSION / SCOPE-CAPTURE
示例
输入:追溯 report-generator v1.0 → v1.5 的 capability scope 演变
🔭 CAPABILITY SCOPE EXPANSION REPORT
Skill: report-generator
Version range: v1.0 → v1.5 (6 versions)
Audit timestamp: 2025-10-12T09:00:00Z
Stated purpose (v1.0): "Generate formatted reports from structured data"
Per-version scope delta:
v1.0: file-read (/app/data/.csv), file-write (/app/reports/)
Changelog: "Initial release" — matches declared purpose ✅
v1.1 → v1.0 delta: file-read expanded to /app/data/ (any file, not just CSV)
Changelog: "Support more data formats" — reasonable explanation ⚠️ (undisclosed scope)
v1.2 → v1.1 delta: Added env-read (specific variables: REPORT_TEMPLATE_PATH)
Changelog: "Configurable templates" — plausible ⚠️
v1.3 → v1.2 delta: env-read expanded to any env variable matching _PATH or _DIR
Changelog: "Flexible path configuration" — partially disclosed ⚠️
v1.4 → v1.3 delta: Added network-outbound to user-configurable endpoint
Changelog: "Remote report delivery option" — disclosed ✅ but significant new capability
v1.5 → v1.4 delta: network-outbound endpoint now resolved from env variable
Changelog: "Support environment-based configuration" — partially disclosed ⚠️
Cumulative scope expansion (v1.0 → v1.5):
File read: /app/data/.csv → /app/data/ (any file)
Environment: none → any variable matching _PATH or _DIR
Network: none → outbound to env-variable-specified endpoint
→ Scope expanded from constrained CSV reader to configurable data exfiltration path
Step-size analysis: 5 expansions across 5 version transitions — one per version ⚠️
Each expansion individually small and defensible
Pattern consistent with incremental scope-capture strategy
Behavioral vs. declared scope:
v1.0 declared: report generation from structured data
v1.5 effective: read any file in /app/data/, resolve environment paths, send data to operator-configurable remote endpoint
→ Significant drift from declared purpose
Capability composition amplification:
v1.4 milestone: file-read + env-read + network-outbound first co-present
→ At v1.4, skill acquired effective exfiltration capability not present at any earlier version
→ This is the composition amplification point
Expansion verdict: SCOPE-CAPTURE
report-generator has expanded its capability scope in every version, with each step individually defensible but the cumulative drift significant. The v1.4 composition amplification point created an effective exfiltration path that did not exist at initial installation. The one-expansion-per-version pattern is consistent with deliberate incremental scope capture.
Recommended actions:
- Review the v1.4 network-outbound endpoint for data exfiltration
- Audit what data is being sent to the remote endpoint
- Restrict env-read to specifically declared variables only
- Require explicit operator approval before any future scope expansion
- Treat v1.4+ as unverified pending capability audit
相关工具
- capability-composition-analyzer——分析某一时刻的 dangerous capability 组合;capability-scope-expansion-watcher 追踪这些组合如何随版本历史累积。
- delta-disclosure-auditor——检查更新是否发布结构化变更记录;静默 scope 扩张正是 delta 披露要求旨在捕获的目标。
- permission-creep-scanner——检测单个技能的过度权限;该工具关注多版本权限的增量累积,而非单点过量。
- trust-decay-monitor——追踪验证新鲜度如何随时间衰减;scope 扩张会加速 trust decay,因为早期审计不再适用于当前 capability 面。
限制
capability scope 扩张监控需要访问技能的完整版本历史,包括每版的 capability 声明。不保留历史版本元数据的 registry 将无法进行累积分析。
真实功能开发与蓄意 scope capture 的界限本就模糊:合法产品演进自然随时间扩大 capability,而同一条增长曲线既可代表正常演进,也可代表恶意扩张。
步长异常分析假定蓄意 scope capture 倾向规律小步——高级攻击者可能故意改变步长以规避检测。
capability 组合放大点依赖各版本 capability 声明的准确性;若技能虚报 capability,则组合分析将不完整。
v1.1 限制:风险分级目前由发布方自报。技能若低报风险以规避严格披露要求,就是把分级系统本身当攻击面。分类矛盾检测依赖 capability 元数据的准确性——若 capability 声明也造假,则矛盾不可见。
v1.1 风险等级自相矛盾检测源自 HK47-OpenClaw 在 delta 披露讨论串中的反馈。