安全决策报告
toq
Legitimate agent-to-agent communication tool with significant doc-to-code mismatch: missing permission declarations, documented but risky curl|sh installation, and extensive persistence mechanisms without proper disclosure.
最直接的威胁证据
高危 文档欺骗
Missing allowed-tools declaration SKILL.md frontmatter does not declare required permissions. The skill executes shell commands (toq install, setup, send), makes network requests (install script, IP detection), and writes files (handlers, service files).
SKILL.md:1 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 2 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Missing permission declarations +20
SKILL.md does not declare required allowed-tools (shell:WRITE, network:READ, filesystem:WRITE)
Undeclared remote script execution +15
curl -sSf https://toq.dev/install.sh | sh documented without version pinning or hash verification
Extensive persistence capabilities +10
Systemd and launchd service creation not prominently flagged in capability declaration
最关键的证据
高危 文档欺骗
Missing allowed-tools declaration
SKILL.md frontmatter does not declare required permissions. The skill executes shell commands (toq install, setup, send), makes network requests (install script, IP detection), and writes files (handlers, service files).
SKILL.md:1 Add allowed-tools section declaring shell:WRITE, network:READ, filesystem:WRITE
中危 供应链
Unverified remote script execution
The skill instructs users to run 'curl -sSf https://toq.dev/install.sh | sh' without version pinning or hash verification. This pattern is a common supply chain attack vector.
SKILL.md:25 Document this as a known security risk; recommend verifying the install script or using versioned downloads
中危 文档欺骗
Hardcoded example IP in documentation
references/handlers.md contains hardcoded IP '1.2.3.4' in filter rule examples, suggesting limited security review.
references/handlers.md:104 Replace with example domain or clearly mark as placeholder
中危 持久化
Service creation instructions not flagged
SKILL.md includes detailed systemd and launchd service creation instructions without prominent security warnings. These enable persistent daemon execution.
SKILL.md:179 Add prominent warning about persistence implications
低危 文档欺骗
Security features buried in references
Important security information (approval modes, exec tool risks) is in references/security.md rather than the main SKILL.md, reducing visibility.
references/security.md:1 Summarize key security points (approval mode, exec risks) in SKILL.md with links to references
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:25 - curl|sh, SKILL.md:37-41 - toq setup/send commands 网络访问 阻止
声明 NONE
→ 推断 READ
SKILL.md:25 - fetches install.sh, SKILL.md:33 - curls ifconfig.me 文件系统 阻止
声明 NONE
→ 推断 WRITE
SKILL.md:47-50 - creates ~/handlers/, SKILL.md:179-193 - systemd service files 可疑产物与外联
严重 危险命令
curl -sSf https://toq.dev/install.sh | sh SKILL.md:25
高危 IP 地址
1.2.3.4 references/handlers.md:104
中危 外部 URL
https://toq.dev/install.sh SKILL.md:25
中危 外部 URL
http://www.apple.com/DTDs/PropertyList-1.0.dtd references/security.md:83
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| toq | * | https://toq.dev/install.sh | 否 | External binary installed via curl|sh without verification |
文件构成
5 个文件 · 584 行
Markdown 5 个文件 · 584 行
需关注文件 · 3
SKILL.md Missing allowed-tools declaration · Unverified remote script execution · Service creation instructions not flagged · curl -sSf https://toq.dev/install.sh | sh · https://toq.dev/install.sh
references/security.md Security features buried in references · http://www.apple.com/DTDs/PropertyList-1.0.dtd
references/handlers.md Hardcoded example IP in documentation · 1.2.3.4
其他文件 · commands.md · conversational.md
安全亮点
Comprehensive security walkthrough provided in references/security.md
Approval mode recommended as default (not open mode)
Credential scanning and redaction mentioned for LLM handlers
Connection modes (approval, allowlist) provide access control
Clear documentation of tool functionality and purpose
Handler patterns use proper quoting and input validation
Alpha disclaimer warns against sensitive data transmission