ClawHub

1688 Distribution Amazon

Security checks across malware telemetry and agentic risk

Overview

This skill is an e-commerce automation workflow that clearly focuses on creating Amazon draft listings and does not show hidden publishing, exfiltration, or destructive behavior.

Install only if you intend to let the skill use your Dianxiaobao user ID and gateway credentials to query stores/products and create Amazon draft listings. Keep the .env and generated /tmp session directories private, and delete old session directories if you no longer need the saved workflow artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions while instructing use of environment variables, shell execution, file reads/writes, networked API calls, and session storage. This creates an opaque trust boundary: operators and policy systems cannot accurately assess or constrain what the skill is allowed to do, increasing the chance of over-privileged execution and secret exposure through downstream scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented purpose is narrowly framed as creating Amazon draft listings, but the analysis indicates the underlying code exposes broader image-manipulation capabilities and a generic image API wrapper that could be repurposed beyond that scope. In addition, the skill does perform a real remote call to the shop system's release/save endpoint, so the description understates the extent of external actions and available functionality, which can mislead users and reviewers about operational risk.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger text says this skill 'must be used' for a wide set of phrases related to Amazon listing, which is overly broad and coercive. Broad mandatory activation can cause the agent to invoke a shell/network-capable workflow in contexts where the user intended only discussion, planning, or a different platform flow, increasing the risk of unintended external actions and unnecessary secret use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists the Amazon store's encryptedCode into session files on disk, which creates a recoverable local copy of a sensitive credential-like identifier. Even though the session directory is created with 0700 permissions, writing secrets to disk increases exposure through backups, logs, developer access, malware, or later accidental disclosure; in this skill context, the value is used to act on a seller account, so compromise could enable unauthorized store operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The executable path in __main__ automatically calls list_amazon_stores(), which performs a network request to retrieve account-linked Amazon store information without any user-facing notice, consent prompt, or explicit confirmation. In the context of an e-commerce automation skill that handles shop bindings and account metadata, silently enumerating stores increases privacy risk and can expose sensitive business account information if run in an unexpected context or by another local user/process.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal