toq Security Report — Suspicious | ClawSafe

45 /100

toq

Agent-to-agent secure messaging protocol

Legitimate agent-to-agent communication tool with significant doc-to-code mismatch: missing permission declarations, documented but risky curl|sh installation, and extensive persistence mechanisms without proper disclosure.

Skill Nametoq

Duration70.5s

Enginepi

⚠

Use with caution

Approve with caveats: Require explicit allowed-tools declaration for shell:WRITE, network:READ, filesystem:WRITE; warn users about curl|sh risks; add prominent security warnings for handler and service creation features.

Findings 5 items

Severity	Finding	Location
High	Missing allowed-tools declaration Doc Mismatch SKILL.md frontmatter does not declare required permissions. The skill executes shell commands (toq install, setup, send), makes network requests (install script, IP detection), and writes files (handlers, service files). `--- name: toq description: Send and receive secure messages...` → Add allowed-tools section declaring shell:WRITE, network:READ, filesystem:WRITE	`SKILL.md:1`
Medium	Unverified remote script execution Supply Chain The skill instructs users to run 'curl -sSf https://toq.dev/install.sh \| sh' without version pinning or hash verification. This pattern is a common supply chain attack vector. `curl -sSf https://toq.dev/install.sh \| sh && export PATH="$HOME/.toq/bin:$PATH"` → Document this as a known security risk; recommend verifying the install script or using versioned downloads	`SKILL.md:25`
Medium	Hardcoded example IP in documentation Doc Mismatch references/handlers.md contains hardcoded IP '1.2.3.4' in filter rule examples, suggesting limited security review. `toq handler add h --command "bash log.sh" --from "toq://1.2.3.4/*"` → Replace with example domain or clearly mark as placeholder	`references/handlers.md:104`
Medium	Service creation instructions not flagged Persistence SKILL.md includes detailed systemd and launchd service creation instructions without prominent security warnings. These enable persistent daemon execution. `cat > /tmp/toq.service << EOF [Unit]...` → Add prominent warning about persistence implications	`SKILL.md:179`
Low	Security features buried in references Doc Mismatch Important security information (approval modes, exec tool risks) is in references/security.md rather than the main SKILL.md, reducing visibility. `# Security...` → Summarize key security points (approval mode, exec risks) in SKILL.md with links to references	`references/security.md:1`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	SKILL.md:25 - curl\|sh, SKILL.md:37-41 - toq setup/send commands
Network	`NONE`	`READ`	✗ Violation	SKILL.md:25 - fetches install.sh, SKILL.md:33 - curls ifconfig.me
Filesystem	`NONE`	`WRITE`	✗ Violation	SKILL.md:47-50 - creates ~/handlers/, SKILL.md:179-193 - systemd service files

1 Critical 1 High 4 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -sSf https://toq.dev/install.sh | sh

SKILL.md:25

📡

High IP Address 硬编码 IP 地址

1.2.3.4

references/handlers.md:104

🔗

Medium External URL 外部 URL

https://toq.dev/install.sh

SKILL.md:25

🔗

Medium External URL 外部 URL

http://www.apple.com/DTDs/PropertyList-1.0.dtd

references/security.md:83

File Tree

5 files · 19.9 KB · 584 lines

Markdown 5f · 584L

├─ ▾ 📁 references

│ ├─ 📝 commands.md Markdown 73L · 2.9 KB

│ ├─ 📝 conversational.md Markdown 85L · 2.8 KB

│ ├─ 📝 handlers.md Markdown 125L · 3.5 KB

│ └─ 📝 security.md Markdown 94L · 3.6 KB

└─ 📝 SKILL.md Markdown 207L · 7.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`toq`	`*`	https://toq.dev/install.sh	No	External binary installed via curl\|sh without verification

Security Positives

✓ Comprehensive security walkthrough provided in references/security.md

✓ Approval mode recommended as default (not open mode)

✓ Credential scanning and redaction mentioned for LLM handlers

✓ Connection modes (approval, allowlist) provide access control

✓ Clear documentation of tool functionality and purpose

✓ Handler patterns use proper quoting and input validation

✓ Alpha disclaimer warns against sensitive data transmission

Scan Report

Findings 5 items

File Tree

Dependencies 1 items

Security Positives