一、目标

Name: baas
Author: yakejiang

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill enables remote code execution, installs global packages

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

一、目标: 端到端流程：从用户需求到可访问的前后端应用，其中后端不需要编写代码，完全基于 AiPexBase BaaS 实现。

Actually does

This skill uses Bash, Read, Write, Edit, Grep, and Glob tools. It installs nvm, Node.js, aipexbase-cli, and zip via curl and apt-get. It then uses the `baas` CLI to manage AiPexBase BaaS applications, including creating/updating applications and database tables based on `app-schema.json`, and inserting data. It also generates frontend code (HTML/Vue/React) by reading various reference files and `prd.md`, and contacts `github.com`, `codeflying.net`, `wikimedia.org`, and `picsum.photos` for setup and content.

Threat Analysis

AI Agent Traps ↗Scanned 4/17/2026

Content InjectionPerception2 findings

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction12 findings

SystemicMulti-Agent Dynamics2 findings

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Nameyakejiang/baas

Registryclawhub

Version1.0.2

PURLpkg:clawhub/yakejiang/baas@1.0.2

Downloads82

Source

Repository ↗

SHA-256d5b2b0f2af63...

SHA-1c340e814984f...

MD578e6be0af0aa...

TLSHfb8218b98918...

ssdeep192:qRU1S0VR...

Size17,578 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/yakejiang/baas

82 downloads

ClawHubDocs

openclaw skills install yakejiang/baas

Assessments (4)

AI Agent Traps ↗

Remote code download and execution detectedcriticalcommand execution

Remote code download and execution detected

100% confidenceline 47

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash

Arbitrary Command Execution via Bash toolcriticalcommand execution

The skill is granted the `Bash` tool, allowing it to execute arbitrary shell commands on the host system. This capability can be exploited for full system compromise, data exfiltration, or persistence.

100% confidenceline 4

allowed-tools: Bash, Read, Write, Edit, Grep, Glob

File System Manipulation via Read/Write/Edit toolscriticaldata exfiltration

The skill is granted `Read`, `Write`, and `Edit` tools, allowing it to access, modify, and create files on the host system. This poses a significant risk for data exfiltration, integrity compromise, or injecting malicious scripts.

100% confidenceline 4

allowed-tools: Bash, Read, Write, Edit, Grep, Glob

Global Package Installation via npm i -ghighsupply chain

The skill installs `aipexbase-cli` globally via `npm`. A compromised npm package or its dependencies could lead to arbitrary code execution and system compromise.

100% confidenceline 57

npm i aipexbase-cli -g

Handling and Storage of Administrator Tokens/API Keyshighcredential theft

The skill handles and stores sensitive `manageToken` and `apiKey` in configuration files, which are then accessible to sub-agents. This increases the risk of credential theft or misuse if the agent or its sub-agents are compromised.

100% confidenceline 5

metadata: {"openclaw": {"requires": {"env": ["BAAS_MANAGE_TOKEN", "BAAS_BASE_URL"]}, "primaryEnv": "BAAS_MANAGE_TOKEN"}}, 询问用户提供 `manageToken`（管理员令牌）, cp <当前skill目录>/config.json ./baas-config.json, 使用 Edit 工具添加返回的 `apiKey` 和 `appId`。

Broad External API Interaction (Custom APIs)highdata exfiltration

The skill's design includes interaction with "自定义 API" (custom API), which could be leveraged to make arbitrary network requests to attacker-controlled endpoints for data exfiltration or to trigger malicious actions.

90% confidenceline 334

了解平台已提供的 AI（对话、图生文、文生图、文生语音/视频/音频）、自定义 API、物流查询、地理位置、通知（飞书/企微/邮件）等能力

Sub-Agent Spawning with Agent-Controlled Promptshighsub agent spawning

The skill instructs the agent to spawn subagents using a detailed prompt template it constructs itself. The subagent prompt includes instructions to read arbitrary files, execute code operations, and make API calls. The parent agent controls the full prompt content passed to subagents, creating a vector for prompt injection propagation across agent boundaries.

78% confidenceline 337

必须启用subagent进行每个页面的独立开发，使用下方的 **Subagent 任务模板** 启动每个页面的开发任务。subagent工作完成后，无需告诉用户（不用给用户发送消息）。

Credential Harvesting via Config File Creationhighcredential harvesting

The skill instructs the agent to collect sensitive credentials (manageToken, baseUrl, apiKey) from the user and write them to files on disk (config.json, baas-config.json). These credentials are then copied across multiple project directories. The skill also stores these in project directories under /tmp, which may be world-readable.

70% confidenceline 75

询问用户提供 `manageToken`（管理员令牌）... 读取 `<skill目录>/config.json`，检查 `baseUrl` 和 `manageToken` 是否已配置... cp <当前skill目录>/config.json ./baas-config.json

Credential Storage in World-Readable /tmp Directoryhighhardcoded secrets

The skill instructs projects to be placed under /tmp with a timestamp, and credentials (apiKey, manageToken, baseUrl) are stored in baas-config.json files in those directories. /tmp is typically world-readable, exposing API keys to other processes on the system.

80% confidenceline 95

cd <项目目录，建议放到 /tmp/时间戳/项目名称 目录下>

Arbitrary Bash Command Execution via CLI Toolhighcommand execution

The skill instructs the agent to execute multiple bash commands including installing software globally (npm i aipexbase-cli -g), modifying shell environment (source ~/.bashrc), and running apt-get with sudo. This constitutes a significant attack surface for supply chain attacks via the aipexbase-cli package.

85% confidenceline 47

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
npm i aipexbase-cli -g
sudo apt-get install -y zip

Privilege Escalation via sudo apt-gethighprivilege escalation

The skill instructs the agent to run sudo apt-get install -y zip, escalating to root privileges to install system packages. This is unnecessary for the stated functionality and represents a privilege escalation risk.

85% confidenceline 60

sudo apt-get install -y zip

Sensitive API Key Written to Multiple Filesystem Locationsmediumdata exfiltration

The workflow copies credentials from a central config.json to project-specific baas-config.json files across multiple project directories. This proliferates sensitive tokens to numerous locations, increasing exposure surface.

65% confidenceline 88

cp <当前skill目录>/config.json ./baas-config.json
批量创建成功后，使用 Edit 工具添加返回的 `apiKey` 和 `appId`

Sub-agent Spawning with Shared Sensitive Contexthighsub agent spawning

The skill mandates spawning sub-agents for development tasks and instructs them to read `baas-config.json`, which contains sensitive API keys. This multi-agent setup increases the attack surface for credential exfiltration or malicious sub-agent actions.

100% confidenceline 337

必须启用subagent进行每个页面的独立开发, 读取以下文件的完整内容: ... {project_dir}/baas-config.json

High Autonomy for Critical Actionsmediumautonomy abuse

The skill is designed to perform critical actions like application creation and iterative development fully automatically without user confirmation, increasing the risk of unintended or malicious system modifications if the agent is compromised.

100% confidenceline 22

新建应用 和 迭代开发 全程自动执行，无需向用户确认。

Subagent Output Hidden from Human Overseerhighapproval fatigue

Subagents are explicitly instructed to not communicate their results to the user. This prevents the human overseer from reviewing what subagents have done, reducing transparency and oversight of potentially significant operations including file writes and API calls.

82% confidenceline 337

subagent工作完成后，无需告诉用户（不用给用户发送消息）。

Dynamic Deployment Instructions Loaded at Runtimemediumprompt injection

Deployment instructions are not embedded in the skill but loaded dynamically from a references/deploy.md file at runtime. If that file is tampered with or replaced, it could inject arbitrary instructions into the agent's execution flow after user confirmation has already been obtained.

65% confidenceline 25

部署方法再去读取当前skill下的 `references/deploy.md` 获取

Subagent Reads Arbitrary File Paths from Agent-Controlled Inputmediumprompt injection

The subagent task template instructs subagents to read files from paths that are interpolated by the parent agent ({skill_dir}, {project_dir}). If these path variables are manipulated, the subagent could be directed to read sensitive files outside intended directories.

60% confidenceline 162

1. {skill_dir}/references/html-template.html
2. {skill_dir}/references/style-guide.md
3. {skill_dir}/references/aipexbase-js-api.md
4. {project_dir}/prd.md

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/yakejiang/baas.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/yakejiang/baas)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/yakejiang/baas"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/yakejiang/baas.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/yakejiang/baas.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow