⚡ CFM Redis - 跨框架实时通信

Name: cfm-redis
Author: ameylover

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill enables arbitrary command execution, prompt injection,

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

⚡ CFM Redis - 跨框架实时通信: 基于Redis Pub/Sub的跨框架Agent通信方案。事件驱动，零轮询，通信通道不消耗LLM token。

Actually does

The skill installs and uses `redis-server` and the Python `redis` library. It runs Python scripts (`cfm_messenger.py`, `cfm_cli.py`, `cfm_check.py`) to send, receive, store, and discover messages and agents via Redis Pub/Sub and lists, interacting with a local Redis instance. It also manages processed message IDs in local files and can optionally trigger external webhooks.

Threat Analysis

AI Agent Traps ↗Scanned 4/17/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction11 findings

SystemicMulti-Agent Dynamics2 findings

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Nameameylover/cfm-redis

Registryclawhub

Version1.0.0

PURLpkg:clawhub/ameylover/cfm-redis@1.0.0

Downloads67

Source

Repository ↗

SHA-256bcd2d39266dc...

SHA-1787cbd923f2a...

MD5b90e86e80861...

TLSHbd6207168c71...

ssdeep384:rAhIyu0D...

Size15,888 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/ameylover/cfm-redis

67 downloads

ClawHubDocs

openclaw skills install ameylover/cfm-redis

Assessments (5)

AI Agent Traps ↗

Shell command execution function detectedcriticalcommand execution

Shell command execution function detected

100% confidenceline 378

subprocess.run

Shell command execution function detectedcriticalcommand execution

Shell command execution function detected

100% confidenceline 523

os.system

Command Execution Capabilitymediumcommand execution

The skill explicitly demonstrates and encourages the use of shell command execution via `subprocess.run` and `os.system` for integration and troubleshooting. It also defines a 'command' message type, indicating its design to transmit commands between agents. While intended for legitimate purposes, this capability could be abused by a compromised agent to execute arbitrary commands.

90% confidenceline 379

subprocess.run(["python3", "~/.shared/cfm/cfm_check.py", ...]), os.system("redis-cli ping"), "type": "command"

Resource Abuse via Redis KEYS commandlowresource abuse

The `discover_agents` function uses the `redis_client.keys()` command, which can be a blocking operation and lead to performance degradation or denial of service on a busy Redis server if called frequently or on a large dataset.

80% confidenceline 126

keys = self.redis_client.keys("cfm:*:registered")

Data Exfiltration Capability (Webhook)infodata exfiltration

The skill provides an example of how an agent can use `requests.post` to send messages to an external webhook URL. This demonstrates the capability for external data transfer, which could be repurposed for exfiltration if the `webhook_url` is controlled by an attacker.

70% confidenceline 400

requests.post(webhook_url, json=new_msgs)

Autonomous Cron Persistence Mechanismmediumpersistence

The skill instructs installing a cron job that runs autonomously every 5 minutes to check for messages and trigger processing. This establishes a persistent agent execution mechanism that operates without user interaction.

80% confidence

### 方式1：Cron任务（简单）
```bash
# 每5分钟检查一次
*/5 * * * * cd ~/.shared/cfm && python3 cfm_check.py myagent
```

Unrestricted Agent Discovery and Enumerationmediumreconnaissance

The discover_agents() function uses a Redis wildcard key scan (keys('cfm:*:registered')) to enumerate all registered agents on the Redis instance. This enables network reconnaissance of all agents and their statuses.

75% confidence

def discover_agents(self) -> list:
    """发现其他Agent"""
    keys = self.redis_client.keys("cfm:*:registered")
    agents = []
    for key in keys:
        agent_id = key.split(":")[1]
        if agent_id != self.agent_id:
            info = self.redis_client.hgetall(key)
            agents.append({"id": agent_id, **info})

Unauthenticated Redis Channel Accesshightool poisoning

The Redis connection is established without any authentication credentials, ACLs, or TLS. Any process with network access to the Redis port can publish messages to any agent's inbox channel, impersonate any agent identity, or read all stored message history.

80% confidenceline 88

self.redis_client = redis.Redis(host=redis_host, port=redis_port, decode_responses=True)

def quick_send(to_agent: str, message: str, from_agent: str = "cli") -> str:
    r = redis.Redis(decode_responses=True)

Webhook SSRF via Attacker-Controlled URLsmediumssrf

The Webhook integration pattern sends message content to a configurable webhook_url using requests.post(). If an attacker can influence the webhook_url parameter or message content processed to derive URLs, this could enable SSRF attacks against internal services.

65% confidenceline 393

def check_and_trigger(agent_id, webhook_url):
    with CFMMessenger(agent_id) as m:
        msgs = m.get_messages(limit=5)
        new_msgs = [msg for msg in msgs if msg.get("from") != agent_id]
        if new_msgs:
            # 触发webhook
            import requests
            requests.post(webhook_url, json=new_msgs)

File Path Injection via 'file' Message Typemediumdata exfiltration

Messages of type 'file' use the content field as a file path reference. If agents process these messages by reading the referenced file path, an attacker publishing a 'file' message with a sensitive path (e.g., ~/.ssh/id_rsa, /etc/passwd) could trigger exfiltration of sensitive files.

65% confidenceline 421

- `file` - 文件引用（content为文件路径）

Unauthenticated Agent Identity Spoofinghighagent impersonation

The 'from' field in messages is set by the sender and never verified. Any client can claim to be any agent identity by setting from_agent to an arbitrary value, enabling complete agent impersonation without authentication.

85% confidenceline 147

def quick_send(to_agent: str, message: str, from_agent: str = "cli") -> str:
    payload = {
        "id": msg_id,
        "from": from_agent,  # No verification of identity
        "to": to_agent,

Approval Fatigue Bypass via execute_codehighapproval fatigue

The skill explicitly documents a technique to bypass human approval mechanisms. It frames a security control (shell command approval prompts) as a 'bug' and instructs using execute_code with os.system() to circumvent the approval workflow, deliberately avoiding the human-in-the-loop control.

95% confidence

### 5. 飞书命令审批 bug
**问题**：通过飞书执行shell命令时，点击"允许"会报错 `code: 200340`。
**解决**：使用 `execute_code` 工具运行Python脚本绕过审批：
```python
# 用 execute_code 而不是 terminal
import os
os.system("redis-cli ping")
```

Sub-Agent Spawning via Uncontrolled Pub/Subhighsub agent spawning

The skill establishes a Redis Pub/Sub communication channel between agents where message content from any publisher is consumed and acted upon by subscribing agents. Messages of type 'command' are explicitly supported, enabling attacker-controlled prompts or commands to be injected into agent inboxes and processed by other agents without validation or sanitization.

85% confidence

### 消息类型
- `text` - 普通文本
- `command` - 命令消息
- `response` - 响应消息
- `file` - 文件引用（content为文件路径）

Autonomy Abuse via Daemon Process Integrationmediumautonomy abuse

The skill describes a daemon/heartbeat integration pattern where agents autonomously check for and process messages on a recurring basis, potentially triggering further LLM calls and actions without user confirmation. Combined with the 'command' message type, this creates an autonomous execution loop.

75% confidenceline 379

### 方式2：守护进程（实时）
```python
# 在heartbeat或定时任务中调用
import subprocess
result = subprocess.run(
    ["python3", "~/.shared/cfm/cfm_check.py", "myagent"],
    capture_output=True, text=True
)
if "📨" in result.stdout:
    # 有新消息，触发处理
    process_new_messages()

Indirect Prompt Injection via Redis Messageshighprompt injection

Agent messages received via Redis are passed directly to the LLM for processing without sanitization. Any entity that can publish to a Redis channel (cfm:<agent_id>:inbox) can inject arbitrary instructions into the agent's context, enabling indirect prompt injection attacks through the messaging infrastructure.

85% confidence

if "📨" in result.stdout:
    # 有新消息，触发处理
    process_new_messages()

The skill explicitly states agents process message content with LLM: "Agent处理消息时仍需调用LLM（会消耗token）"

Unpinned dependency installation — package installed without version pinningmediumsupply chain

Unpinned dependency installation — package installed without version pinning

100% confidenceline 57

pip install redis

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/ameylover/cfm-redis.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/ameylover/cfm-redis)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/ameylover/cfm-redis"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/ameylover/cfm-redis.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/ameylover/cfm-redis.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow