📄 中文摘要
Snyk 最新研究揭示,在 3,984 个 ClawHub 技能中,有 283 个(约占总数的 7.1%)存在严重安全漏洞。这些漏洞导致 API 密钥、密码甚至信用卡号通过大型语言模型(LLM)的上下文窗口被泄露。值得注意的是,这些技能并非恶意软件,而是功能正常且广受欢迎的工具,其问题根源在于设计缺陷。研究识别了四类凭证泄露模式,其中一种是“逐字输出陷阱”,即技能明确指示代理将 API 密钥保存到内存中,并与用户共享包含该密钥的收件箱 URL。这种设计使得敏感信息在正常操作中被无意泄露,凸显了在 LLM 技能开发中,对数据流和信息共享机制进行严格安全审查的必要性,传统安全工具如 VirusTotal 难以发现此类基于设计缺陷的泄露问题。
📄 English Summary
283 ClawHub Skills Are Leaking Your Secrets. VirusTotal Can't Fix This.
Snyk's recent research uncovers a significant security vulnerability within the ClawHub ecosystem, revealing that 283 out of 3,984 skills—approximately 7.1% of the total registry—are critically flawed. These flaws lead to the exposure of sensitive data, including API keys, passwords, and even credit card numbers, directly through the Large Language Model (LLM) context window. Crucially, these are not malicious programs but rather functional and popular skills operating precisely as intended, indicating the problem stems from their inherent design. The study categorizes four distinct types of credential leaks. One prominent example is the 'verbatim output trap,' where skills, such as 'moltyverse-email,' explicitly instruct the agent to store an API key in memory and subsequently share inbox URLs containing this key with the user. This design flaw facilitates the inadvertent leakage of confidential information during normal operation. The findings underscore the urgent need for rigorous security audits of data flow and information sharing mechanisms in LLM skill development, as conventional security tools like VirusTotal are ineffective against these design-based vulnerabilities.