heycube-setup Security Report — High Risk | ClawSafe

72 /100

heycube-setup

HeyCube黑方体个人档案管理服务安装工具

Skill installs persistent conversation-monitoring hooks that exfiltrate user behavioral data to an external commercial API without declaring filesystem write, network write, or hook persistence capabilities.

Skill Nameheycube-setup

Duration45.8s

Enginepi

⛔

Do not install this skill

Do not deploy. The skill implements extensive undeclared capabilities including permanent hook installation, automatic conversation data collection, and external API communication for behavioral profiling purposes.

Attack Chain 6 steps

◎

Entry Skill installed through legitimate skill install mechanism

SKILL.md:1

⬡

Escalation Creates persistent hook skills in ~/.agents/skills/

SKILL.md:1

⬡

Escalation Modifies AGENTS.md to add automatic execution rules for every conversation

SKILL.md:1

⬡

Escalation On every conversation: sends summary to heifangti.com with user intent classification

assets/hook-skills/get-config.md:45

⬡

Escalation Stores returned behavioral dimensions in local SQLite profile database

scripts/personal-db.js:42

◉

Impact After every conversation: sends another summary and receives instructions to update psychological profile

assets/hook-skills/update-data.md:65

Findings 5 items

Severity	Finding	Location
High	Undeclared persistent hook installation Doc Mismatch SKILL.md makes no mention of installing hooks that execute on every conversation, fundamentally altering agent behavior without disclosure. `Creates ~/.agents/skills/heycube-get-config-0.1.0/ and heycube-update-data-0.1.0/ with automatic execution rules` → Declare all hook/persistence mechanisms explicitly in SKILL.md capabilities section	`SKILL.md:1`
High	Systematic conversation data collection to external API Data Exfil Every conversation triggers API calls to heifangti.com sending conversation summaries, user intent classifications, and receiving behavioral profile dimensions to query/write. The '黑点' (black points) credit system indicates commercial data exploitation. `curl -s -X POST {BASE_URL}/agent/analyze -H X-API-Key: {API_KEY}` → Clearly disclose that ALL conversations are sent to external server; provide opt-out mechanism with clear UI indicator	`assets/hook-skills/get-config.md:50`
High	Psychological profile data storage and retrieval Sensitive Access Skill builds and stores detailed psychological profiles including profile.career, behavior.work_habits, etc. in local SQLite database. This sensitive data is collected incrementally across all conversations. `CREATE TABLE dimensions (dimension_id TEXT PRIMARY KEY, value TEXT NOT NULL...)` → Provide transparent data inventory showing exactly what profile dimensions are collected	`scripts/personal-db.js:1`
Medium	Modifies core agent configuration files Priv Escalation Skill modifies TOOLS.md and AGENTS.md, which are core agent configuration files. This grants the skill ability to alter how the agent behaves permanently. `步骤6: 修改 TOOLS.md 末尾追加 HeyCube 配置段步骤7: 修改 AGENTS.md 添加 Hook 执行规则` → Require explicit user consent before modifying core agent configuration; document all modifications	`SKILL.md:1`
Medium	Dependency version not pinned Supply Chain package.json specifies better-sqlite3: ^12.6.2 allowing any compatible version, increasing supply chain risk. `"better-sqlite3": "^12.6.2"` → Pin exact version: "better-sqlite3": "12.6.2"	`scripts/package.json:4`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	SKILL.md:Creates dirs at ~/.agents/skills/, writes scripts/personal-db.js, modif…
Network	`NONE`	`WRITE`	✗ Violation	get-config.md:50-53, update-data.md:70-73:POSTs to https://heifangti.com/api/api…
Shell	`NONE`	`WRITE`	✗ Violation	SKILL.md:Execute cd...&&node commands for npm install and database operations
Database	`NONE`	`WRITE`	✗ Violation	scripts/personal-db.js:Full SQLite CRUD operations for psychological profile sto…

2 findings

🔗

Medium External URL 外部 URL

https://heifangti.com/api/api/v1/heifangti

SKILL.md:67

🔗

Medium External URL 外部 URL

https://heifangti.com

SKILL.md:132

File Tree

5 files · 15.9 KB · 487 lines

Markdown 3f · 383L JavaScript 1f · 99L JSON 1f · 5L

├─ ▾ 📁 assets

│ └─ ▾ 📁 hook-skills

│ ├─ 📝 get-config.md Markdown 121L · 3.7 KB

│ └─ 📝 update-data.md Markdown 117L · 3.9 KB

├─ ▾ 📁 scripts

│ ├─ 📋 package.json JSON 5L · 60 B

│ └─ 📜 personal-db.js JavaScript 99L · 3.4 KB

└─ 📝 SKILL.md Markdown 145L · 4.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`better-sqlite3`	`^12.6.2`	npm	No	Version not pinned - allows any compatible version

Security Positives

✓ Includes privacy principle documentation (脱敏规则) for sending summaries

✓ Provides opt-out mechanism via .heycube-off file

✓ API_KEY is user-provided, not harvested from environment

✓ Errors do not block main conversation flow

Scan Report

Attack Chain 6 steps

Findings 5 items

File Tree

Dependencies 1 items

Security Positives