Skill Trust Decision
toq
Legitimate agent-to-agent communication tool with significant doc-to-code mismatch: missing permission declarations, documented but risky curl|sh installation, and extensive persistence mechanisms without proper disclosure.
Most direct threat evidence
High Doc Mismatch
Missing allowed-tools declaration SKILL.md frontmatter does not declare required permissions. The skill executes shell commands (toq install, setup, send), makes network requests (install script, IP detection), and writes files (handlers, service files).
SKILL.md:1 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Missing permission declarations +20
SKILL.md does not declare required allowed-tools (shell:WRITE, network:READ, filesystem:WRITE)
Undeclared remote script execution +15
curl -sSf https://toq.dev/install.sh | sh documented without version pinning or hash verification
Extensive persistence capabilities +10
Systemd and launchd service creation not prominently flagged in capability declaration
Most important evidence
High Doc Mismatch
Missing allowed-tools declaration
SKILL.md frontmatter does not declare required permissions. The skill executes shell commands (toq install, setup, send), makes network requests (install script, IP detection), and writes files (handlers, service files).
SKILL.md:1 Add allowed-tools section declaring shell:WRITE, network:READ, filesystem:WRITE
Medium Supply Chain
Unverified remote script execution
The skill instructs users to run 'curl -sSf https://toq.dev/install.sh | sh' without version pinning or hash verification. This pattern is a common supply chain attack vector.
SKILL.md:25 Document this as a known security risk; recommend verifying the install script or using versioned downloads
Medium Doc Mismatch
Hardcoded example IP in documentation
references/handlers.md contains hardcoded IP '1.2.3.4' in filter rule examples, suggesting limited security review.
references/handlers.md:104 Replace with example domain or clearly mark as placeholder
Medium Persistence
Service creation instructions not flagged
SKILL.md includes detailed systemd and launchd service creation instructions without prominent security warnings. These enable persistent daemon execution.
SKILL.md:179 Add prominent warning about persistence implications
Low Doc Mismatch
Security features buried in references
Important security information (approval modes, exec tool risks) is in references/security.md rather than the main SKILL.md, reducing visibility.
references/security.md:1 Summarize key security points (approval mode, exec risks) in SKILL.md with links to references
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md:25 - curl|sh, SKILL.md:37-41 - toq setup/send commands Network Block
Declared NONE
→ Inferred READ
SKILL.md:25 - fetches install.sh, SKILL.md:33 - curls ifconfig.me Filesystem Block
Declared NONE
→ Inferred WRITE
SKILL.md:47-50 - creates ~/handlers/, SKILL.md:179-193 - systemd service files Suspicious artifacts and egress
Critical Dangerous Command
curl -sSf https://toq.dev/install.sh | sh SKILL.md:25
High IP Address
1.2.3.4 references/handlers.md:104
Medium External URL
https://toq.dev/install.sh SKILL.md:25
Medium External URL
http://www.apple.com/DTDs/PropertyList-1.0.dtd references/security.md:83
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| toq | * | https://toq.dev/install.sh | No | External binary installed via curl|sh without verification |
File composition
5 files · 584 lines
Markdown 5 files · 584 lines
Files of concern · 3
SKILL.md Missing allowed-tools declaration · Unverified remote script execution · Service creation instructions not flagged · curl -sSf https://toq.dev/install.sh | sh · https://toq.dev/install.sh
references/security.md Security features buried in references · http://www.apple.com/DTDs/PropertyList-1.0.dtd
references/handlers.md Hardcoded example IP in documentation · 1.2.3.4
Other files · commands.md · conversational.md
Security positives
Comprehensive security walkthrough provided in references/security.md
Approval mode recommended as default (not open mode)
Credential scanning and redaction mentioned for LLM handlers
Connection modes (approval, allowlist) provide access control
Clear documentation of tool functionality and purpose
Handler patterns use proper quoting and input validation
Alpha disclaimer warns against sensitive data transmission