中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 72/100
上次扫描:18 小时前 重新扫描
72 /100
heycube-setup
HeyCube黑方体个人档案管理服务安装工具
Skill installs persistent conversation-monitoring hooks that exfiltrate user behavioral data to an external commercial API without declaring filesystem write, network write, or hook persistence capabilities.
技能名称heycube-setup
分析耗时45.8s
引擎pi
不要安装此技能
Do not deploy. The skill implements extensive undeclared capabilities including permanent hook installation, automatic conversation data collection, and external API communication for behavioral profiling purposes.

攻击链 6 步

入口 Skill installed through legitimate skill install mechanism
SKILL.md:1
提权 Creates persistent hook skills in ~/.agents/skills/
SKILL.md:1
提权 Modifies AGENTS.md to add automatic execution rules for every conversation
SKILL.md:1
提权 On every conversation: sends summary to heifangti.com with user intent classification
assets/hook-skills/get-config.md:45
提权 Stores returned behavioral dimensions in local SQLite profile database
scripts/personal-db.js:42
影响 After every conversation: sends another summary and receives instructions to update psychological profile
assets/hook-skills/update-data.md:65

安全发现 5 项

严重性 安全发现 位置
高危
Undeclared persistent hook installation 文档欺骗
SKILL.md makes no mention of installing hooks that execute on every conversation, fundamentally altering agent behavior without disclosure.
Creates ~/.agents/skills/heycube-get-config-0.1.0/ and heycube-update-data-0.1.0/ with automatic execution rules
→ Declare all hook/persistence mechanisms explicitly in SKILL.md capabilities section
 SKILL.md:1
高危
Systematic conversation data collection to external API 数据外泄
Every conversation triggers API calls to heifangti.com sending conversation summaries, user intent classifications, and receiving behavioral profile dimensions to query/write. The '黑点' (black points) credit system indicates commercial data exploitation.
curl -s -X POST {BASE_URL}/agent/analyze -H X-API-Key: {API_KEY}
→ Clearly disclose that ALL conversations are sent to external server; provide opt-out mechanism with clear UI indicator
 assets/hook-skills/get-config.md:50
高危
Psychological profile data storage and retrieval 敏感访问
Skill builds and stores detailed psychological profiles including profile.career, behavior.work_habits, etc. in local SQLite database. This sensitive data is collected incrementally across all conversations.
CREATE TABLE dimensions (dimension_id TEXT PRIMARY KEY, value TEXT NOT NULL...)
→ Provide transparent data inventory showing exactly what profile dimensions are collected
 scripts/personal-db.js:1
中危
Modifies core agent configuration files 权限提升
Skill modifies TOOLS.md and AGENTS.md, which are core agent configuration files. This grants the skill ability to alter how the agent behaves permanently.
步骤6: 修改 TOOLS.md 末尾追加 HeyCube 配置段
步骤7: 修改 AGENTS.md 添加 Hook 执行规则
→ Require explicit user consent before modifying core agent configuration; document all modifications
 SKILL.md:1
中危
Dependency version not pinned 供应链
package.json specifies better-sqlite3: ^12.6.2 allowing any compatible version, increasing supply chain risk.
"better-sqlite3": "^12.6.2"
→ Pin exact version: "better-sqlite3": "12.6.2"
 scripts/package.json:4
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✗ 越权 SKILL.md:Creates dirs at ~/.agents/skills/, writes scripts/personal-db.js, modif…
网络访问 NONE WRITE ✗ 越权 get-config.md:50-53, update-data.md:70-73:POSTs to https://heifangti.com/api/api…
命令执行 NONE WRITE ✗ 越权 SKILL.md:Execute cd...&&node commands for npm install and database operations
数据库 NONE WRITE ✗ 越权 scripts/personal-db.js:Full SQLite CRUD operations for psychological profile sto…
2 项发现
🔗
中危 外部 URL 外部 URL
https://heifangti.com/api/api/v1/heifangti
SKILL.md:67
🔗
中危 外部 URL 外部 URL
https://heifangti.com
SKILL.md:132

目录结构

5 文件 · 15.9 KB · 487 行
Markdown 3f · 383L JavaScript 1f · 99L JSON 1f · 5L
├─ 📁 assets
│ └─ 📁 hook-skills
│ ├─ 📝 get-config.md Markdown 121L · 3.7 KB
│ └─ 📝 update-data.md Markdown 117L · 3.9 KB
├─ 📁 scripts
│ ├─ 📋 package.json JSON 5L · 60 B
│ └─ 📜 personal-db.js JavaScript 99L · 3.4 KB
└─ 📝 SKILL.md Markdown 145L · 4.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
better-sqlite3 ^12.6.2 npm Version not pinned - allows any compatible version

安全亮点

✓ Includes privacy principle documentation (脱敏规则) for sending summaries
✓ Provides opt-out mechanism via .heycube-off file
✓ API_KEY is user-provided, not harvested from environment
✓ Errors do not block main conversation flow