安全决策报告
aagent-system
The skill exhibits significant doc-to-code mismatch, executes undeclared shell scripts from external paths, collects suspicious security-related keywords, and spawns far more processes than documented.
最直接的威胁证据
01
User installs skill believing it is a legitimate multi-agent sample collection tool per SKILL.md 初始入口 · SKILL.md
02
analyzer/scanner/researcher agents execute unverifiable external scripts from ~/aass-scripts/* 权限提升 · agents/analyzer/agent.cjs
03
Evolver agent self-modifies config and spawns additional collector processes dynamically 权限提升 · agents/evolver/agent.cjs
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 5 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 80 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
User installs skill believing it is a legitimate multi-agent sample collection tool per SKILL.md
初始入口 · SKILL.md:1
02
analyzer/scanner/researcher agents execute unverifiable external scripts from ~/aass-scripts/*
权限提升 · agents/analyzer/agent.cjs:8
03
Evolver agent self-modifies config and spawns additional collector processes dynamically
权限提升 · agents/evolver/agent.cjs:188
04
19+ processes spawn beyond the 8 documented in SKILL.md, with undeclared network access to npm registries
权限提升 · bin/agent-manager.cjs:28
05
Suspicious package names (stealer, keylogger, trojan, backdoor) collected to data/samples.json with unclear handling
最终危害 · agents/collector/agent.cjs:23
风险分是怎么被拉高的
Undeclared external shell script execution +15
analyzer/scanner/researcher agents execute ~/aass-scripts/3layer_scheduler.sh, ~/aass-dataset/secure_dataset.sh, ~/aass-scripts/daily_intel.sh — scripts not present in package, undeclared
Doc-to-code mismatch — architecture +12
SKILL.md claims 采集层(4进程)→分析层(2进程)→研究层(2进程) but actual implementation has 15 collectors + 5 ultra-collectors + hyper + fast-scanner + evolver + designer + perf-monitor + orchestrator = 19+ processes
Undeclared network activity +8
SKILL.md declares no network access but code makes HTTPS requests to registry.npmjs.com, registry.npmmirror.com for npm package collection
Suspicious keyword collection +8
Core keywords include 'stealer', 'keylogger', 'miner', 'cryptominer', 'trojan', 'backdoor', 'rat' — collection purpose unclear and undeclared
Undeclared shell:WRITE +6
execSync('free|awk Mem'), 'uptime|awk', 'nproc', 'pgrep' used without declaration
Self-modifying config + dynamic process spawn +6
Evolver agent modifies agents/config.json and spawns new collector processes — undeclared capability
最关键的证据
高危 代码执行
Undeclared External Script Execution
Three agent stubs (analyzer, scanner, researcher) execute shell scripts from paths outside the package (~/.aass-scripts/*, ~/.aass-dataset/*). These scripts are not included in the skill package, making their behavior unverifiable. This is the most dangerous finding as it enables arbitrary code execution through external files.
agents/analyzer/agent.cjs:8, agents/scanner/agent.cjs:8, agents/researcher/agent.cjs:8:8 Remove all exec() calls to external paths. Any functionality should be self-contained within the skill package.
高危 文档欺骗
Major Architecture Mismatch
SKILL.md claims a 3-layer pipeline with ~8 total processes. The actual implementation contains 9 distinct agent types spawning 19+ processes across multiple collection strategies (collector, ultra-collector, hyper-collector, fast-scanner, evolver, designer, perf-monitor, orchestrator, scanner, analyzer, researcher). This is a fundamental misrepresentation.
SKILL.md:1, bin/agent-manager.cjs:28-31:1 Update SKILL.md to accurately reflect all agent types, process counts, and collection strategies.
中危 敏感访问
Undeclared Suspicious Keyword Targeting
The collector agent targets packages with keywords 'stealer', 'keylogger', 'cryptominer', 'trojan', 'backdoor', 'rat', 'grabber', 'clipper', 'spyware', 'botnet', and 'exploit'. The collection purpose for these potentially malicious package names is not declared in SKILL.md, raising questions about whether this data is used for security research or other purposes.
agents/collector/agent.cjs:23-26:23 Declare the purpose of collecting these package names. If for security research, add explicit documentation explaining how collected data is handled.
中危 代码执行
Dynamic Process Spawning via Evolver
The evolver agent can automatically modify its own config (agents/config.json) and spawn new collector processes with exec(), effectively enabling self-propagation. This capability is entirely absent from SKILL.md documentation.
agents/evolver/agent.cjs:188-192:188 Document self-modification and dynamic spawning. Consider restricting this to controlled environments only.
中危 文档欺骗
Undeclared Network Capabilities
SKILL.md makes no mention of network access, yet the code performs HTTPS requests to npm registry APIs (registry.npmjs.com, registry.npmmirror.com) to collect package metadata. The declared 'security scanning' feature is actually just keyword matching with no code analysis.
agents/collector/agent.cjs:76, agents/ultra-collector/agent.cjs:89:76 Declare network:READ permission and specify all external endpoints accessed.
中危 文档欺骗
Misleading Security Scanning Description
SKILL.md describes '安全扫描' (security scanning) as detecting malicious code, credential leaks, and C2 connections. In reality, scanner agents only perform keyword pattern matching on package names and descriptions — no code analysis, no credential detection, no C2 detection.
SKILL.md:1, agents/fast-scanner/agent.cjs:1:1 Correct documentation to accurately describe the actual scanning methodology (keyword matching) and its limitations.
低危 敏感访问
Environment Variable Access via Shell
bin/agent-manager.cjs uses execSync('free | awk ...') and execSync('uptime | awk ...') to check system resources. While the intent appears benign (resource-aware scaling), the shell:WRITE access through execSync is undeclared.
bin/agent-manager.cjs:35-40:35 Use Node.js native APIs (os.freemem(), os.totalmem()) instead of shell commands, or declare shell:READ access.
声明能力 vs 实际能力
网络访问 阻止
声明 NONE
→ 推断 READ
agents/collector/agent.cjs:76 https.get to registry.npmjs.com 命令执行 阻止
声明 NONE
→ 推断 WRITE
agents/analyzer/agent.cjs:8 exec() to ~/aass-scripts/* 文件系统 阻止
声明 NONE
→ 推断 WRITE
agents/evolver/agent.cjs:line exec() spawns new processes, fs.writeFileSync config.json 环境变量 阻止
声明 NONE
→ 推断 READ
bin/agent-manager.cjs:35 execSync free|awk Mem for resource check 技能调用 阻止
声明 NONE
→ 推断 WRITE
agents/evolver/agent.cjs:188 exec spawns collector agents dynamically 可疑产物与外联
中危 外部 URL
https://registry.npmjs.com/-/v1/search?text=$ agents/collector/agent.cjs:76
中危 外部 URL
https://modelcontextprotocol.io data/samples.json:87
中危 外部 URL
https://help.obsidian.md/cli data/samples.json:87
中危 外部 URL
https://obsidian.md data/samples.json:120
中危 外部 URL
https://badge.fury.io/js/cdk-monitoring-constructs.svg data/samples.json:471
中危 外部 URL
https://badge.fury.io/js/cdk-monitoring-constructs data/samples.json:471
中危 外部 URL
https://maven-badges.herokuapp.com/maven-central/io.github.cdklabs/cdkmonitoringconstructs/badge.svg data/samples.json:471
中危 外部 URL
https://cobe.vercel.app data/samples.json:482
中危 外部 URL
http://www.pulumi.com/images/docs/badges/slack.svg data/samples.json:548
中危 外部 URL
https://slack.pulumi.com data/samples.json:548
中危 外部 URL
https://badge.fury.io/js/%40pulumi%2fdocker-build.svg data/samples.json:548
中危 外部 URL
https://www.npmjs.com/package/@pulumi/docker-build data/samples.json:548
依赖与供应链
没有结构化依赖告警。
文件构成
20 个文件 · 16576 行
JSON 5 个文件 · 14889 行JavaScript 12 个文件 · 1442 行Markdown 3 个文件 · 245 行
需关注文件 · 3
agents/config.json data/samples.json https://modelcontextprotocol.io · https://help.obsidian.md/cli · https://obsidian.md · https://badge.fury.io/js/cdk-monitoring-constructs.svg · https://badge.fury.io/js/cdk-monitoring-constructs · https://maven-badges.herokuapp.com/maven-central/io.github.cdklabs/cdkmonitoringconstructs/badge.svg · https://cobe.vercel.app · http://www.pulumi.com/images/docs/badges/slack.svg · https://slack.pulumi.com · https://badge.fury.io/js/%40pulumi%2fdocker-build.svg · https://www.npmjs.com/package/@pulumi/docker-build · https://badge.fury.io/p · https://www.npmjs.com/package/ccxt · https://img.shields.io/npm/v/@smithy/core/latest.svg · https://www.npmjs.com/package/@smithy/core · https://img.shields.io/npm/dm/@smithy/core.svg · https://redocly.com · https://ai-sdk.dev/docs · https://react.dev/ · https://img.shields.io/npm/dw/%40google%2Fgenai · https://www.npmjs.com/package/@google/genai · https://img.shields.io/node/v/%40google%2Fgenai · https://ai-sdk.dev/providers/ai-sdk-providers/openai · https://ai-sdk.dev/providers/ai-sdk-providers/google-generative-ai · https://ai.google/discover/generativeai/ · https://badge.fury.io/js/orval.svg · https://badge.fury.io/js/orval · https://img.shields.io/badge/License-MIT-yellow.svg · https://opensource.org/licenses/MIT · https://travis-ci.org/stefanpenner/get-caller-file.svg?branch=master · https://travis-ci.org/stefanpenner/get-caller-file · https://ci.appveyor.com/api/projects/status/ol2q94g1932cy14a/branch/master?svg=true · https://www.npmjs.com/package/@nx-extend/terraform\ · https://badgen.net/npm/v/@nx-extend/terraform\ · https://vim.colefoster.ca/demo · https://serverless.com · https://gitpod.io/button/open-in-gitpod.svg · https://gitpod.io/#https://github.com/ryanrosello-og/playwright-slack-report · https://ai-sdk.dev/providers/ai-sdk-providers/anthropic · https://docs.anthropic.com/claude/reference/messages_post · https://ai-sdk.dev/providers/ai-sdk-providers/xai · https://ai-sdk.dev/providers/ai-sdk-providers/google-vertex · https://cloud.google.com/vertex-ai · https://openrouter.ai/ · https://sdk.vercel.ai/docs · https://svelte.dev/ · https://ai-sdk.dev/providers/ai-sdk-providers/deepseek · https://www.deepseek.com · https://vuejs.org/ · https://ai-sdk.dev/providers/ai-sdk-providers/azure · https://ai-sdk.dev/providers/ai-sdk-providers/mistral · https://ai-sdk.dev/providers/ai-sdk-providers/amazon-bedrock · https://docs.aws.amazon.com/bedrock/latest/APIR · https://ai-sdk.dev/providers/ai-sdk-providers/groq · https://img.shields.io/npm/v/@aws-sdk/middleware-user-agent/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-user-agent · https://img.shields.io/npm/dm/@aws-sdk/middleware-user-agent.svg · https://www.npmjs.c · https://img.shields.io/npm/v/@aws-sdk/middleware-logger/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-logger · https://img.shields.io/npm/dm/@aws-sdk/middleware-logger.svg · https://www.npmjs.com/package/@ · https://img.shields.io/npm/v/@aws-sdk/middleware-sdk-s3/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-sdk-s3 · https://img.shields.io/npm/dm/@aws-sdk/middleware-sdk-s3.svg · https://img.shields.io/npm/v/@aws-sdk/middleware-host-header/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-host-header · https://img.shields.io/npm/dm/@aws-sdk/middleware-host-header.svg · https://www.npmj · https://img.shields.io/npm/v/@aws-sdk/util-user-agent-node/latest.svg · https://www.npmjs.com/package/@aws-sdk/util-user-agent-node · https://img.shields.io/npm/dm/@aws-sdk/util-user-agent-node.svg · https://www.npmjs.com/ · https://coveralls.io/repos/github/131/docker-sdk/badge.svg?branch=ma · https://metorial.com · https://ai-sdk.dev/providers/ai-sdk-providers/cohere · https://img.shields.io/npm/v/@aws-sdk/middleware-recursion-detection/latest.svg · https://www.npmjs.com/package/@aws-sdk/middleware-recursion-detection · https://img.shields.io/npm/dm/@aws-sdk/middleware-recursion-detectio
agents/collector/agent.cjs https://registry.npmjs.com/-/v1/search?text=$
其他文件 · agent.cjs · agent.cjs · ARCHITECTURE.md · agent-manager.cjs · agent.cjs · agent.cjs +3
安全亮点
No credential harvesting — code does not read ~/.ssh, ~/.aws, .env, or API keys
No data exfiltration — no POST/remote connections to external IPs beyond declared npm registries
No obfuscation — code is readable JavaScript, no base64 encoding or eval tricks
No persistence mechanisms — no cron, startup scripts, or backdoor installation found
No reverse shell or C2 infrastructure detected