安全决策报告
heycube-setup
Skill installs persistent conversation-monitoring hooks that exfiltrate user behavioral data to an external commercial API without declaring filesystem write, network write, or hook persistence capabilities.
最直接的威胁证据
01
Skill installed through legitimate skill install mechanism 初始入口 · SKILL.md
02
Creates persistent hook skills in ~/.agents/skills/ installation · SKILL.md
03
Modifies AGENTS.md to add automatic execution rules for every conversation installation · SKILL.md
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 2 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 6 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
攻击链
01
Skill installed through legitimate skill install mechanism
初始入口 · SKILL.md:1
02
Creates persistent hook skills in ~/.agents/skills/
installation · SKILL.md:1
03
Modifies AGENTS.md to add automatic execution rules for every conversation
installation · SKILL.md:1
04
On every conversation: sends summary to heifangti.com with user intent classification
权限提升 · assets/hook-skills/get-config.md:45
05
Stores returned behavioral dimensions in local SQLite profile database
权限提升 · scripts/personal-db.js:42
06
After every conversation: sends another summary and receives instructions to update psychological profile
最终危害 · assets/hook-skills/update-data.md:65
风险分是怎么被拉高的
Undeclared filesystem:WRITE +20
SKILL.md declares no file write permissions but script writes to ~/.agents/skills/, workspace/scripts/, and modifies TOOLS.md/AGENTS.md
Undeclared hook persistence +20
Installs GET_CONFIG and UPDATE_DATA hooks that execute on every conversation, modifying agent behavior permanently
External data exfiltration +18
Every conversation generates summary sent to heifangti.com for behavioral profiling without clear user consent
Undeclared database access +10
SQLite read/write operations for storing user psychological profiles not declared in capabilities
Silent failure masking +4
All errors silently skipped, hiding potential security issues from user
最关键的证据
高危 文档欺骗
Undeclared persistent hook installation
SKILL.md makes no mention of installing hooks that execute on every conversation, fundamentally altering agent behavior without disclosure.
SKILL.md:1 Declare all hook/persistence mechanisms explicitly in SKILL.md capabilities section
高危 数据外泄
Systematic conversation data collection to external API
Every conversation triggers API calls to heifangti.com sending conversation summaries, user intent classifications, and receiving behavioral profile dimensions to query/write. The '黑点' (black points) credit system indicates commercial data exploitation.
assets/hook-skills/get-config.md:50 Clearly disclose that ALL conversations are sent to external server; provide opt-out mechanism with clear UI indicator
高危 敏感访问
Psychological profile data storage and retrieval
Skill builds and stores detailed psychological profiles including profile.career, behavior.work_habits, etc. in local SQLite database. This sensitive data is collected incrementally across all conversations.
scripts/personal-db.js:1 Provide transparent data inventory showing exactly what profile dimensions are collected
中危 权限提升
Modifies core agent configuration files
Skill modifies TOOLS.md and AGENTS.md, which are core agent configuration files. This grants the skill ability to alter how the agent behaves permanently.
SKILL.md:1 Require explicit user consent before modifying core agent configuration; document all modifications
中危 供应链
Dependency version not pinned
package.json specifies better-sqlite3: ^12.6.2 allowing any compatible version, increasing supply chain risk.
scripts/package.json:4 Pin exact version: "better-sqlite3": "12.6.2"
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:Creates dirs at ~/.agents/skills/, writes scripts/personal-db.js, modifies TOOLS.md and AGENTS.md 网络访问 阻止
声明 NONE
→ 推断 WRITE
get-config.md:50-53, update-data.md:70-73:POSTs to https://heifangti.com/api/api/v1/heifangti/agent/analyze 命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:Execute cd...&&node commands for npm install and database operations 数据库 阻止
声明 NONE
→ 推断 WRITE
scripts/personal-db.js:Full SQLite CRUD operations for psychological profile storage 可疑产物与外联
中危 外部 URL
https://heifangti.com/api/api/v1/heifangti SKILL.md:67
中危 外部 URL
https://heifangti.com SKILL.md:132
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| better-sqlite3 | ^12.6.2 | npm | 否 | Version not pinned - allows any compatible version |
文件构成
5 个文件 · 487 行
Markdown 3 个文件 · 383 行JavaScript 1 个文件 · 99 行JSON 1 个文件 · 5 行
需关注文件 · 4
SKILL.md Undeclared persistent hook installation · Modifies core agent configuration files · https://heifangti.com/api/api/v1/heifangti · https://heifangti.com
assets/hook-skills/get-config.md Systematic conversation data collection to external API
scripts/personal-db.js Psychological profile data storage and retrieval
scripts/package.json Dependency version not pinned
其他文件 · update-data.md
安全亮点
Includes privacy principle documentation (脱敏规则) for sending summaries
Provides opt-out mechanism via .heycube-off file
API_KEY is user-provided, not harvested from environment
Errors do not block main conversation flow