Skill Trust Decision
aagent-system
The skill exhibits significant doc-to-code mismatch, executes undeclared shell scripts from external paths, collects suspicious security-related keywords, and spawns far more processes than documented.
Most direct threat evidence
01
User installs skill believing it is a legitimate multi-agent sample collection tool per SKILL.md Entry · SKILL.md
02
analyzer/scanner/researcher agents execute unverifiable external scripts from ~/aass-scripts/* Escalation · agents/analyzer/agent.cjs
03
Evolver agent self-modifies config and spawns additional collector processes dynamically Escalation · agents/evolver/agent.cjs
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
5 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
80 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User installs skill believing it is a legitimate multi-agent sample collection tool per SKILL.md
Entry · SKILL.md:1
02
analyzer/scanner/researcher agents execute unverifiable external scripts from ~/aass-scripts/*
Escalation · agents/analyzer/agent.cjs:8
03
Evolver agent self-modifies config and spawns additional collector processes dynamically
Escalation · agents/evolver/agent.cjs:188
04
19+ processes spawn beyond the 8 documented in SKILL.md, with undeclared network access to npm registries
Escalation · bin/agent-manager.cjs:28
05
Suspicious package names (stealer, keylogger, trojan, backdoor) collected to data/samples.json with unclear handling
Impact · agents/collector/agent.cjs:23
What drove the risk score up
Undeclared external shell script execution +15
analyzer/scanner/researcher agents execute ~/aass-scripts/3layer_scheduler.sh, ~/aass-dataset/secure_dataset.sh, ~/aass-scripts/daily_intel.sh — scripts not present in package, undeclared
Doc-to-code mismatch — architecture +12
SKILL.md claims 采集层(4进程)→分析层(2进程)→研究层(2进程) but actual implementation has 15 collectors + 5 ultra-collectors + hyper + fast-scanner + evolver + designer + perf-monitor + orchestrator = 19+ processes
Undeclared network activity +8
SKILL.md declares no network access but code makes HTTPS requests to registry.npmjs.com, registry.npmmirror.com for npm package collection
Suspicious keyword collection +8
Core keywords include 'stealer', 'keylogger', 'miner', 'cryptominer', 'trojan', 'backdoor', 'rat' — collection purpose unclear and undeclared
Undeclared shell:WRITE +6
execSync('free|awk Mem'), 'uptime|awk', 'nproc', 'pgrep' used without declaration
Self-modifying config + dynamic process spawn +6
Evolver agent modifies agents/config.json and spawns new collector processes — undeclared capability
Most important evidence
High RCE
Undeclared External Script Execution
Three agent stubs (analyzer, scanner, researcher) execute shell scripts from paths outside the package (~/.aass-scripts/*, ~/.aass-dataset/*). These scripts are not included in the skill package, making their behavior unverifiable. This is the most dangerous finding as it enables arbitrary code execution through external files.
agents/analyzer/agent.cjs:8, agents/scanner/agent.cjs:8, agents/researcher/agent.cjs:8:8 Remove all exec() calls to external paths. Any functionality should be self-contained within the skill package.
High Doc Mismatch
Major Architecture Mismatch
SKILL.md claims a 3-layer pipeline with ~8 total processes. The actual implementation contains 9 distinct agent types spawning 19+ processes across multiple collection strategies (collector, ultra-collector, hyper-collector, fast-scanner, evolver, designer, perf-monitor, orchestrator, scanner, analyzer, researcher). This is a fundamental misrepresentation.
SKILL.md:1, bin/agent-manager.cjs:28-31:1 Update SKILL.md to accurately reflect all agent types, process counts, and collection strategies.
Medium Sensitive Access
Undeclared Suspicious Keyword Targeting
The collector agent targets packages with keywords 'stealer', 'keylogger', 'cryptominer', 'trojan', 'backdoor', 'rat', 'grabber', 'clipper', 'spyware', 'botnet', and 'exploit'. The collection purpose for these potentially malicious package names is not declared in SKILL.md, raising questions about whether this data is used for security research or other purposes.
agents/collector/agent.cjs:23-26:23 Declare the purpose of collecting these package names. If for security research, add explicit documentation explaining how collected data is handled.
Medium RCE
Dynamic Process Spawning via Evolver
The evolver agent can automatically modify its own config (agents/config.json) and spawn new collector processes with exec(), effectively enabling self-propagation. This capability is entirely absent from SKILL.md documentation.
agents/evolver/agent.cjs:188-192:188 Document self-modification and dynamic spawning. Consider restricting this to controlled environments only.
Medium Doc Mismatch
Undeclared Network Capabilities
SKILL.md makes no mention of network access, yet the code performs HTTPS requests to npm registry APIs (registry.npmjs.com, registry.npmmirror.com) to collect package metadata. The declared 'security scanning' feature is actually just keyword matching with no code analysis.
agents/collector/agent.cjs:76, agents/ultra-collector/agent.cjs:89:76 Declare network:READ permission and specify all external endpoints accessed.
Medium Doc Mismatch
Misleading Security Scanning Description
SKILL.md describes '安全扫描' (security scanning) as detecting malicious code, credential leaks, and C2 connections. In reality, scanner agents only perform keyword pattern matching on package names and descriptions — no code analysis, no credential detection, no C2 detection.
SKILL.md:1, agents/fast-scanner/agent.cjs:1:1 Correct documentation to accurately describe the actual scanning methodology (keyword matching) and its limitations.
Low Sensitive Access
Environment Variable Access via Shell
bin/agent-manager.cjs uses execSync('free | awk ...') and execSync('uptime | awk ...') to check system resources. While the intent appears benign (resource-aware scaling), the shell:WRITE access through execSync is undeclared.
bin/agent-manager.cjs:35-40:35 Use Node.js native APIs (os.freemem(), os.totalmem()) instead of shell commands, or declare shell:READ access.
Declared capability vs actual capability
Network Block
Declared NONE
→ Inferred READ
agents/collector/agent.cjs:76 https.get to registry.npmjs.com Shell Block
Declared NONE
→ Inferred WRITE
agents/analyzer/agent.cjs:8 exec() to ~/aass-scripts/* Filesystem Block
Declared NONE
→ Inferred WRITE
agents/evolver/agent.cjs:line exec() spawns new processes, fs.writeFileSync config.json Environment Block
Declared NONE
→ Inferred READ
bin/agent-manager.cjs:35 execSync free|awk Mem for resource check Skill Invoke Block
Declared NONE
→ Inferred WRITE
agents/evolver/agent.cjs:188 exec spawns collector agents dynamically Suspicious artifacts and egress
Medium External URL
https://registry.npmjs.com/-/v1/search?text=$ agents/collector/agent.cjs:76
Medium External URL
https://modelcontextprotocol.io data/samples.json:87
Medium External URL
https://help.obsidian.md/cli data/samples.json:87
Medium External URL
https://obsidian.md data/samples.json:120
Medium External URL
https://badge.fury.io/js/cdk-monitoring-constructs.svg data/samples.json:471
Medium External URL
https://badge.fury.io/js/cdk-monitoring-constructs data/samples.json:471
Medium External URL
https://maven-badges.herokuapp.com/maven-central/io.github.cdklabs/cdkmonitoringconstructs/badge.svg data/samples.json:471
Medium External URL
https://cobe.vercel.app data/samples.json:482
Medium External URL
http://www.pulumi.com/images/docs/badges/slack.svg data/samples.json:548
Medium External URL
https://slack.pulumi.com data/samples.json:548
Medium External URL
https://badge.fury.io/js/%40pulumi%2fdocker-build.svg data/samples.json:548
Medium External URL
https://www.npmjs.com/package/@pulumi/docker-build data/samples.json:548
Dependencies and supply chain
There are no structured dependency warnings.
File composition
20 files · 16576 lines
JSON 5 files · 14889 linesJavaScript 12 files · 1442 linesMarkdown 3 files · 245 lines
Files of concern · 3
agents/config.json data/samples.json https://modelcontextprotocol.io · https://help.obsidian.md/cli · https://obsidian.md · https://badge.fury.io/js/cdk-monitoring-constructs.svg · https://badge.fury.io/js/cdk-monitoring-constructs · https://maven-badges.herokuapp.com/maven-central/io.github.cdklabs/cdkmonitoringconstructs/badge.svg · https://cobe.vercel.app · http://www.pulumi.com/images/docs/badges/slack.svg · https://slack.pulumi.com · https://badge.fury.io/js/%40pulumi%2fdocker-build.svg · https://www.npmjs.com/package/@pulumi/docker-build · https://badge.fury.io/p · https://www.npmjs.com/package/ccxt · https://img.shields.io/npm/v/@smithy/core/latest.svg · https://www.npmjs.com/package/@smithy/core · https://img.shields.io/npm/dm/@smithy/core.svg · https://redocly.com · https://ai-sdk.dev/docs · https://react.dev/ · https://img.shields.io/npm/dw/%40google%2Fgenai · https://www.npmjs.com/package/@google/genai · https://img.shields.io/node/v/%40google%2Fgenai · https://ai-sdk.dev/providers/ai-sdk-providers/openai · https://ai-sdk.dev/providers/ai-sdk-providers/google-generative-ai · https://ai.google/discover/generativeai/ · https://badge.fury.io/js/orval.svg · https://badge.fury.io/js/orval · https://img.shields.io/badge/License-MIT-yellow.svg · https://opensource.org/licenses/MIT · https://travis-ci.org/stefanpenner/get-caller-file.svg?branch=master · https://travis-ci.org/stefanpenner/get-caller-file · https://ci.appveyor.com/api/projects/status/ol2q94g1932cy14a/branch/master?svg=true · https://www.npmjs.com/package/@nx-extend/terraform\ · https://badgen.net/npm/v/@nx-extend/terraform\ · https://vim.colefoster.ca/demo · https://serverless.com · https://gitpod.io/button/open-in-gitpod.svg · https://gitpod.io/#https://github.com/ryanrosello-og/playwright-slack-report · https://ai-sdk.dev/providers/ai-sdk-providers/anthropic · https://docs.anthropic.com/claude/reference/messages_post · https://ai-sdk.dev/providers/ai-sdk-providers/xai · https://ai-sdk.dev/providers/ai-sdk-providers/google-vertex · https://cloud.google.com/vertex-ai · https://openrouter.ai/ · https://sdk.vercel.ai/docs · https://svelte.dev/ · https://ai-sdk.dev/providers/ai-sdk-providers/deepseek · https://www.deepseek.com · https://vuejs.org/ · https://ai-sdk.dev/providers/ai-sdk-providers/azure · https://ai-sdk.dev/providers/ai-sdk-providers/mistral · https://ai-sdk.dev/providers/ai-sdk-providers/amazon-bedrock · https://docs.aws.amazon.com/bedrock/latest/APIR · https://ai-sdk.dev/providers/ai-sdk-providers/groq · https://img.shields.io/npm/v/@aws-sdk/middleware-user-agent/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-user-agent · https://img.shields.io/npm/dm/@aws-sdk/middleware-user-agent.svg · https://www.npmjs.c · https://img.shields.io/npm/v/@aws-sdk/middleware-logger/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-logger · https://img.shields.io/npm/dm/@aws-sdk/middleware-logger.svg · https://www.npmjs.com/package/@ · https://img.shields.io/npm/v/@aws-sdk/middleware-sdk-s3/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-sdk-s3 · https://img.shields.io/npm/dm/@aws-sdk/middleware-sdk-s3.svg · https://img.shields.io/npm/v/@aws-sdk/middleware-host-header/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-host-header · https://img.shields.io/npm/dm/@aws-sdk/middleware-host-header.svg · https://www.npmj · https://img.shields.io/npm/v/@aws-sdk/util-user-agent-node/latest.svg · https://www.npmjs.com/package/@aws-sdk/util-user-agent-node · https://img.shields.io/npm/dm/@aws-sdk/util-user-agent-node.svg · https://www.npmjs.com/ · https://coveralls.io/repos/github/131/docker-sdk/badge.svg?branch=ma · https://metorial.com · https://ai-sdk.dev/providers/ai-sdk-providers/cohere · https://img.shields.io/npm/v/@aws-sdk/middleware-recursion-detection/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-recursion-detection · https://img.shields.io/npm/dm/@aws-sdk/middleware-recursion-detectio
agents/collector/agent.cjs https://registry.npmjs.com/-/v1/search?text=$
Other files · agent.cjs · agent.cjs · ARCHITECTURE.md · agent-manager.cjs · agent.cjs · agent.cjs +3
Security positives
No credential harvesting — code does not read ~/.ssh, ~/.aws, .env, or API keys
No data exfiltration — no POST/remote connections to external IPs beyond declared npm registries
No obfuscation — code is readable JavaScript, no base64 encoding or eval tricks
No persistence mechanisms — no cron, startup scripts, or backdoor installation found
No reverse shell or C2 infrastructure detected