ClawHub

1688 Distribution Material Newton

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a 1688 material-optimization tool, but it also handles sensitive credentials and ISV tokens in ways that are broader and riskier than the advertised workflow.

Install only if you are comfortable giving this skill a 1688 AK and having product prompts, IDs, and image URLs sent to 1688 gateway services. Prefer configuring credentials through a secure OpenClaw secret mechanism rather than pasting AKs into chat, avoid using the ISV token commands unless you specifically need them, and do not use the watermark-removal flow unless you own or are authorized to modify the images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (25)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
}, ensure_ascii=False, indent=2))
            sys.exit(1)

        handler = getattr(cmd_module, action, None)
        if handler is None or not callable(handler):
            # 只展示在该模块中定义的函数,排除 import 进来的
            available = [name for name in dir(cmd_module)
Confidence
83% confidence
Finding
handler = getattr(cmd_module, action, None)

Tainted flow: 'gateway_url' from os.environ.get (line 35, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        resp = requests.patch(f"{gateway_url}/api/config",
                              headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
92% confidence
Finding
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Exposing ISV token fetch/status operations in a skill framed as image/title/selling-point optimization introduces privileged account-management functionality unrelated to the core task. That increases the chance of misuse, accidental invocation, or credential handling in a context where users do not expect it.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Providing token-management commands inside a material-optimization skill violates least privilege and expands the attack surface from content processing into credential operations. In skill ecosystems, bundling unrelated privileged functions makes review and safe routing more difficult and can enable abuse if the skill is triggered in broader contexts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file advertises a generic biz-domain/action execution model in addition to the stated material-optimization commands. In the context of a narrowly scoped image/title optimization skill, this broader dispatch model can enable hidden or undocumented functionality not reflected in the manifest, undermining least privilege and making abuse or accidental misuse more likely.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The usage text exposes ISV token fetch/status operations even though the skill is described as a material-optimization tool. Token management is a higher-sensitivity capability than image/title processing; combining it into this skill increases the chance that the skill can access or manipulate credentials outside user expectations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The domain discovery and action dispatch logic dynamically imports biz modules and allows invocation of arbitrary callable actions from them based on user input. In this skill context, that is especially risky because the declared purpose is narrowly limited to content optimization, yet the implementation can expose any callable present in biz modules, including administrative or token-related functions not intended for end users.

Description-Behavior Mismatch

High
Confidence
82% confidence
Finding
The file's behavior is unrelated to the declared 1688 material-optimization skill and instead performs local environment inspection and optional package installation. This mismatch is dangerous because off-purpose code increases the chance of hidden or unnecessary system-side actions, especially in a skill that should focus on image/title processing rather than host setup.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The code can install a Python package via subprocess, which is not justified by the skill's end-user purpose of 1688 image/title optimization. Even though the package name is fixed, unexpected runtime package installation changes the host environment and introduces supply-chain and integrity risk that is unnecessary for normal skill execution.

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
This file implements AK credential collection and configuration, which is materially different from the declared skill purpose of image/title/material optimization. In a skill package, capability drift like this increases supply-chain and trust risk because users may be prompted to provide sensitive credentials unrelated to the advertised function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Prompting the user to retrieve and enter an AK introduces credential intake behavior that is not justified by the stated image/title optimization use case in the provided metadata. That mismatch makes the skill more dangerous in context because users may disclose sensitive platform access keys to a component they would not expect to handle secrets.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented trigger list includes '去水印' (watermark removal), which expands the skill from benign image enhancement into potentially infringing or deceptive image manipulation. In this commerce context, enabling watermark removal can facilitate misuse against third-party intellectual property, platform protections, or provenance indicators, making the workflow materially riskier than a normal image optimization skill.

Context-Inappropriate Capability

Medium
Confidence
70% confidence
Finding
The service handles sensitive credentials by reading them from environment/config sources and persisting them locally, expanding the secret's exposure window and attack surface. In a skill framed as a material-optimization tool, this credential-management behavior is more security-sensitive because it is not obviously expected from the declared functionality.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements ISV token retrieval and status checking, which is unrelated to the skill’s declared 1688 material optimization scope. Hidden credential or token-management functionality inside an unrelated skill increases the risk of unauthorized access to platform APIs, secret exposure, and privilege misuse because users and reviewers would not reasonably expect this capability here.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This file retrieves an ISV token from a privileged backend API and persists it locally, which is outside the stated purpose of a material-optimization skill focused on images, titles, and selling points. Even if this is intended for supporting API access, introducing credential acquisition and local token exposure into a user-facing content tool increases the attack surface and creates an unnecessary secret-handling path that could be abused by other code, leaked from disk, or repurposed for unauthorized API access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The report includes a masked AK value and explicitly documents that credentials were configured successfully, which confirms the presence and partial form of a sensitive secret in project artifacts. Even partially masked secrets and credential-handling details can aid attackers through secret enumeration, environment fingerprinting, or accidental disclosure when reports are shared beyond the intended audience.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The CLI reports usage telemetry after every command via report_skill_usage() with no visible disclosure, consent, or indication of what data is transmitted. Silent telemetry is a security and privacy concern because user inputs may contain offer IDs, image URLs, prompts, or other business-sensitive data, especially in a commercial optimization workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly asks the user to paste an AK secret into the chat and then instructs the agent to pass that credential directly on the command line. Secrets entered in chat and shell arguments are commonly exposed through chat logs, agent traces, shell history, process listings, and telemetry, creating unnecessary credential disclosure risk.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The document describes an asynchronous image-editing flow that generates modified output, but it does not clearly warn users that their original content will be altered and that final results may arrive later after polling. This is less severe than direct data exfiltration, but it can still mislead users about system behavior, create confusion about content integrity, and cause unintended use of AI-modified assets.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The document describes an asynchronous image-editing flow that generates modified output, but it does not clearly warn users that their original content will be altered and that final results may arrive later after polling. This is less severe than direct data exfiltration, but it can still mislead users about system behavior, create confusion about content integrity, and cause unintended use of AI-modified assets.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger keywords are broad and loosely scoped, so ordinary image-related requests may invoke this skill even when the user's intent is outside safe, intended product-image optimization. In combination with generative editing and the inclusion of watermark removal, overbroad matching increases the chance of unauthorized or noncompliant transformations being routed to the skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code writes the API key into local configuration storage in plaintext JSON without any visible user warning, consent, or protection controls. Persistent plaintext secret storage increases the risk of credential theft from local compromise, backups, logs, or overly broad filesystem permissions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function transmits the API key to a gateway endpoint, with a default URL of http://localhost:18789, and provides no enforcement of transport security or destination trust. This can leak credentials over an insecure channel or to an attacker-controlled service if environment configuration is manipulated or localhost assumptions do not hold.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function forwards a user-supplied prompt together with a user identifier to a remote API without any validation, minimization, or visible consent boundary in this file. In a skill that processes free-form user text, this creates a real privacy and data-handling risk because sensitive user content may be transmitted to backend services unexpectedly or logged downstream.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow solicits a sensitive credential in plain language ("我的AK是 xxxxxx") and instructs the agent to extract it directly from the user's message for operational use. In this skill context, the credential is not incidental content but an authentication secret needed to access external services, so requesting it in-band through chat materially increases the chance of credential leakage and reuse by anyone with access to conversation records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal