100Critical
The skill is vulnerable to shell injection and
Behavior Analysis
Description verified — behavior matches claim
Claims to do
chat-bus — 共享目录消息总线: 让使用本技能的不同用户/Agent 之间,通过共享文件目录实现聊天对话。
Actually does
This skill executes Python scripts (`register.py`, `send.py`, `receive.py`, `history.py`, `rooms.py`) to manage a chat system. It reads and writes JSON files within a user-defined shared directory (e.g., `.chat-bus/`) to store user registrations, private messages, and group chat messages. Communication is entirely file-based, with no external network calls.
Skill Info
Namewangjiaocheng/chat-bus
Registryclawhub
Version1.0.0
PURLpkg:clawhub/wangjiaocheng/chat-bus@1.0.0
Downloads49
Source
SHA-256c8c554d55a07...
SHA-18585af73787f...
MD5bdbdccd072f8...
TLSHfa61942c482b...
Size3,307 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install wangjiaocheng/chat-busAssessments (2)
AI Agent Traps ↗Shell Injection via JSON argumentscriticalcommand execution
The skill executes Python scripts by passing user-controlled JSON strings as command-line arguments. This creates a high risk of shell injection if the JSON string is not properly escaped before being passed to the shell, allowing arbitrary command execution.
90% confidenceline 27
python register.py '{"user":"alice","display_name":"Alice"}'Arbitrary File System Access via chat_dir parameterhighdata exfiltration, persistence, privilege escalation
The skill allows the `chat_dir` parameter to be explicitly specified, overriding the default. If an agent is manipulated to set this directory to a sensitive system path, the skill's file read/write operations could lead to data exfiltration, persistence, or privilege escalation.
80% confidence
共享目录:通过 `chat_dir` 参数指定,默认为当前目录下 `.chat-bus/`
Reliance on External File System Access Controllowdata exfiltration, privilege escalation
The skill explicitly states it relies solely on the underlying file system's access control for security. It does not implement internal access control, meaning any process with sufficient file system permissions to the shared directory can read or modify messages and user data.
90% confidenceline 86
依赖共享目录本身的访问控制(文件系统权限)
RAG/Memory Poisoning via Malicious Message Contentmediumrag poisoning, memory poisoning
The `send.py` script allows users/agents to send arbitrary message content, which is stored as plaintext JSON files. This content could be crafted to include hidden instructions or misleading information, potentially corrupting an agent's RAG system or memory when processed.
70% confidenceline 33
python send.py '{"user":"alice","to":"bob","content":"你好 Bob!"}'Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/wangjiaocheng/chat-bus)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/wangjiaocheng/chat-bus"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/wangjiaocheng/chat-bus.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/wangjiaocheng/chat-bus.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow