安全决策报告
hostlink
Skill provides documented but undeclared shell:WRITE access to the host system with no allowed-tools declaration, and HOSTLINK_TOKEN authentication credential is central to its operation without explicit handling warnings.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
No allowed-tools declaration +20
SKILL.md never declares shell:WRITE permission despite being the core capability
Critical credential handling +15
HOSTLINK_TOKEN enables arbitrary host command execution as root; no handling guidance provided
Host privilege escalation undeclared +10
Skill enables execution as root on host but SKILL.md lacks any security caveats
最关键的证据
中危 文档欺骗
No allowed-tools declaration despite full shell access
The skill's primary function is executing arbitrary shell commands on the host system, yet SKILL.md contains no 'allowed-tools' section. Users cannot determine the actual permissions being granted.
SKILL.md:1 Add an allowed-tools section declaring shell:WRITE permission
中危 权限提升
Root-level host command execution undeclared in security terms
The skill can execute arbitrary commands as root on the host system. References/setup.md notes 'All commands run as the user hostlinkd is started as (typically root if using systemd).' This is a critical privilege escalation vector with no warnings in SKILL.md.
references/setup.md:92 Add prominent security warnings about root privilege escalation risk
中危 凭证窃取
HOSTLINK_TOKEN critical credential without handling guidance
The HOSTLINK_TOKEN is the sole authentication mechanism enabling arbitrary command execution on the host. It functions like a password or API key, yet SKILL.md provides no guidance on protecting it or warning that it should not be logged or exposed.
SKILL.md:17 Add credential handling guidelines; warn against logging or exposing the token
低危 敏感访问
Documents access to sensitive host paths
The skill documents access to potentially sensitive paths on the host: ~/.cache/huggingface/hub, Docker socket/management, and arbitrary home directory contents. No guidance on what should not be accessed.
SKILL.md:38 Document which host paths should be considered off-limits
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:1 - All examples use 'hostlink exec' for arbitrary shell commands 文件系统 阻止
声明 NONE
→ 推断 READ
SKILL.md:35-36 - Documents 'hostlink exec ls /home/jebadiah/projects', 'cat /etc/hostname' 环境变量 阻止
声明 NONE
→ 推断 READ
SKILL.md:24 - Documents 'hostlink -e MY_VAR=value' for setting env vars, which implies env:READ 网络访问 阻止
声明 NONE
→ 推断 READ
SKILL.md:8 - Supports TCP/WireGuard remote access; references external connections 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 270 行
Markdown 2 个文件 · 270 行
需关注文件 · 2
SKILL.md No allowed-tools declaration despite full shell access · HOSTLINK_TOKEN critical credential without handling guidance · Documents access to sensitive host paths
references/setup.md Root-level host command execution undeclared in security terms
安全亮点
Skill has comprehensive documentation of its capabilities and architecture
Authentication mechanism (token-based) is documented
Uses Unix socket by default (local-only without TCP exposure)
Exit codes are well-defined for error handling
Includes troubleshooting guidance for common issues