Skill Trust Decision
heycube-setup
Skill installs persistent conversation-monitoring hooks that exfiltrate user behavioral data to an external commercial API without declaring filesystem write, network write, or hook persistence capabilities.
Most direct threat evidence
01
Skill installed through legitimate skill install mechanism Entry · SKILL.md
02
Creates persistent hook skills in ~/.agents/skills/ installation · SKILL.md
03
Modifies AGENTS.md to add automatic execution rules for every conversation installation · SKILL.md
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 6 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
Skill installed through legitimate skill install mechanism
Entry · SKILL.md:1
02
Creates persistent hook skills in ~/.agents/skills/
installation · SKILL.md:1
03
Modifies AGENTS.md to add automatic execution rules for every conversation
installation · SKILL.md:1
04
On every conversation: sends summary to heifangti.com with user intent classification
Escalation · assets/hook-skills/get-config.md:45
05
Stores returned behavioral dimensions in local SQLite profile database
Escalation · scripts/personal-db.js:42
06
After every conversation: sends another summary and receives instructions to update psychological profile
Impact · assets/hook-skills/update-data.md:65
What drove the risk score up
Undeclared filesystem:WRITE +20
SKILL.md declares no file write permissions but script writes to ~/.agents/skills/, workspace/scripts/, and modifies TOOLS.md/AGENTS.md
Undeclared hook persistence +20
Installs GET_CONFIG and UPDATE_DATA hooks that execute on every conversation, modifying agent behavior permanently
External data exfiltration +18
Every conversation generates summary sent to heifangti.com for behavioral profiling without clear user consent
Undeclared database access +10
SQLite read/write operations for storing user psychological profiles not declared in capabilities
Silent failure masking +4
All errors silently skipped, hiding potential security issues from user
Most important evidence
High Doc Mismatch
Undeclared persistent hook installation
SKILL.md makes no mention of installing hooks that execute on every conversation, fundamentally altering agent behavior without disclosure.
SKILL.md:1 Declare all hook/persistence mechanisms explicitly in SKILL.md capabilities section
High Data Exfil
Systematic conversation data collection to external API
Every conversation triggers API calls to heifangti.com sending conversation summaries, user intent classifications, and receiving behavioral profile dimensions to query/write. The '黑点' (black points) credit system indicates commercial data exploitation.
assets/hook-skills/get-config.md:50 Clearly disclose that ALL conversations are sent to external server; provide opt-out mechanism with clear UI indicator
High Sensitive Access
Psychological profile data storage and retrieval
Skill builds and stores detailed psychological profiles including profile.career, behavior.work_habits, etc. in local SQLite database. This sensitive data is collected incrementally across all conversations.
scripts/personal-db.js:1 Provide transparent data inventory showing exactly what profile dimensions are collected
Medium Priv Escalation
Modifies core agent configuration files
Skill modifies TOOLS.md and AGENTS.md, which are core agent configuration files. This grants the skill ability to alter how the agent behaves permanently.
SKILL.md:1 Require explicit user consent before modifying core agent configuration; document all modifications
Medium Supply Chain
Dependency version not pinned
package.json specifies better-sqlite3: ^12.6.2 allowing any compatible version, increasing supply chain risk.
scripts/package.json:4 Pin exact version: "better-sqlite3": "12.6.2"
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
SKILL.md:Creates dirs at ~/.agents/skills/, writes scripts/personal-db.js, modifies TOOLS.md and AGENTS.md Network Block
Declared NONE
→ Inferred WRITE
get-config.md:50-53, update-data.md:70-73:POSTs to https://heifangti.com/api/api/v1/heifangti/agent/analyze Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md:Execute cd...&&node commands for npm install and database operations Database Block
Declared NONE
→ Inferred WRITE
scripts/personal-db.js:Full SQLite CRUD operations for psychological profile storage Suspicious artifacts and egress
Medium External URL
https://heifangti.com/api/api/v1/heifangti SKILL.md:67
Medium External URL
https://heifangti.com SKILL.md:132
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| better-sqlite3 | ^12.6.2 | npm | No | Version not pinned - allows any compatible version |
File composition
5 files · 487 lines
Markdown 3 files · 383 linesJavaScript 1 files · 99 linesJSON 1 files · 5 lines
Files of concern · 4
SKILL.md Undeclared persistent hook installation · Modifies core agent configuration files · https://heifangti.com/api/api/v1/heifangti · https://heifangti.com
assets/hook-skills/get-config.md Systematic conversation data collection to external API
scripts/personal-db.js Psychological profile data storage and retrieval
scripts/package.json Dependency version not pinned
Other files · update-data.md
Security positives
Includes privacy principle documentation (脱敏规则) for sending summaries
Provides opt-out mechanism via .heycube-off file
API_KEY is user-provided, not harvested from environment
Errors do not block main conversation flow