agent3-hub 安全扫描报告 — 低风险 | ClawSafe

15 /100

agent3-hub

Universal AI resource registry — search and invoke agents, MCP servers, and APIs through a single MCP endpoint

Pure documentation skill providing MCP registry access to external hub.agent3.me endpoint. No executable code, scripts, or hidden functionality. All network behavior is declared.

技能名称agent3-hub

分析耗时30.7s

引擎pi

✓

可以安装

Acceptable for use. Verify trust in hub.agent3.me as an external dependency before production deployment.

安全发现 2 项

严重性	安全发现	位置
低危	External Service Dependency 文档欺骗 Skill delegates all tool execution to external hub.agent3.me MCP endpoint. Users must trust this external service with their API key and queries. `Endpoint: https://hub.agent3.me/api/mcp` → Review hub.agent3.me privacy policy and terms of service before using. Consider the risk of delegating data to an external party.	`SKILL.md:18`
低危	Arbitrary Agent Invocation Capability 敏感访问 The agents_invoke and resources_invoke tools allow invocation of any registered agent or resource in the hub. This is a trust delegation chain with unknown third parties. `agents_invoke \| Invoke an A2A agent directly \| Required` → Understand that invoking agents through this hub means your queries and data may be processed by arbitrary third-party agents.	`SKILL.md:47`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access declared or implied
网络访问	`READ`	`READ`	✓ 一致	MCP endpoint hub.agent3.me/api/mcp documented
命令执行	`NONE`	`NONE`	—	No shell execution in skill
环境变量	`READ`	`READ`	✓ 一致	AGENT3_API_KEY declared as required env var
技能调用	`READ`	`READ`	✓ 一致	MCP client invokes external agents/services
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

4 项发现

🔗

中危外部 URL 外部 URL

https://hub.agent3.me/api/mcp

SKILL.md:17

🔗

中危外部 URL 外部 URL

https://hub.agent3.me/auth/signup

SKILL.md:19

🔗

中危外部 URL 外部 URL

https://hub.agent3.me

SKILL.md:171

🔗

中危外部 URL 外部 URL

https://hub.agent3.me/docs

SKILL.md:172

目录结构

1 文件 · 4.4 KB · 174 行

Markdown 1f · 174L

└─ 📝 SKILL.md Markdown 174L · 4.4 KB

安全亮点

✓ No executable code present - pure documentation/metadata skill

✓ All network behavior explicitly declared

✓ Uses standard MCP protocol (2025-03-26)

✓ No obfuscation or base64-encoded content

✓ API key requirement declared transparently

✓ No sensitive path access (~/.ssh, ~/.aws, etc.)

✓ No credential harvesting beyond declared AGENT3_API_KEY

✓ No shell execution, subprocess, or RCE vectors

✓ No supply chain risks (no dependencies in this skill)