ClawHub

1688 Distribution Procurement Newton

Security checks across malware telemetry and agentic risk

Overview

This skill is not proven malicious, but it needs Review because it can store credentials, invoke other local skills with tokens, and perform high-impact commerce actions without clear confirmation boundaries.

Install only if you intend to grant this skill authority over real procurement, shop, order, seller-message, and after-sale workflows. Before use, review the credential target mismatch, avoid sharing AKs or ISV tokens broadly, restrict which local ISV skills can be executed, and require manual confirmation for supply changes, auto-order or after-sale settings, publishing, and bulk seller messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (32)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend(extra_args)

    try:
        result = subprocess.run(
            cmd,
            cwd=skill_path,
            capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( cmd, cwd=skill_path, capture_output=True, text=True, timeout=60, )

Tainted flow: 'gateway_url' from os.environ.get (line 33, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        resp = requests.patch(f"{gateway_url}/api/config",
                              headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
89% confidence
Finding
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README advertises materially broader operational capabilities than the manifest description, including binding, supplier linking, supplier switching, order handling, reminders, and aftersales flows. This creates a scope-transparency problem: agents, reviewers, or users may authorize or invoke actions beyond what they reasonably expect from a procurement/inventory/price-monitoring skill, increasing the chance of overprivileged or unsafe use.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Including refund/return and aftersales features in documentation when the skill metadata describes a procurement-focused assistant expands the apparent action surface without corresponding disclosure. In practice, this can mislead users and orchestrators into granting trust to a skill that may perform financially or operationally sensitive post-sale actions outside the expected scope.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The script performs ISV token fetch/status operations that are unrelated to the declared procurement, inventory synchronization, and price-monitoring purpose of the skill. In a skill package, unrelated credential or token-management code increases suspicion because it may enable access to external platform capabilities outside the advertised scope and can be abused for unauthorized token acquisition or account probing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper falls back to reading credentials from a global OpenClaw config file and specifically pulls the API key from another skill entry ("1688-shopkeeper"). That creates cross-skill secret sharing and breaks least-privilege boundaries: this procurement skill can silently inherit broader credentials than intended, enabling unauthorized API actions if the file is present.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The function enumerates every hidden directory under the user's home folder and treats any nested `skills` directory as a candidate platform path. This is broader than the stated procurement use case and can expose information about other installed agent platforms and local tooling, creating unnecessary local reconnaissance and privacy risk if invoked without strict need or disclosure.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This module provides generic cross-platform skill enumeration and lookup by app key, name, and metadata, which materially expands the skill's reach beyond procurement automation. Such broad discovery logic can be used to identify and map other locally installed skills/providers, increasing the attack surface for unauthorized capability discovery or chaining with other components.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The helper exposes a publish operation that performs product distribution/listing, which exceeds the stated procurement/inventory/price-monitoring scope of the skill. This scope expansion increases the blast radius of compromise or misuse by enabling externally triggered listing actions, potentially causing unauthorized product publication or cross-tenant business actions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The batch handler unconditionally records each link_supply invocation as success=true and increments success_count, even when link_supply returns {"success": False, ...}. This can mask failed supplier-linking operations, causing downstream automation to believe associations were completed and potentially triggering incorrect purchasing, inventory, or fulfillment actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The helper deliberately extracts and returns appKey values together with channel and shop identifiers for 'ISV skill discovery and Token 获取'. That expands the data exposure beyond the skill’s stated procurement/inventory/price-monitoring scope and creates an enumeration primitive that could be used to discover integrations and facilitate downstream token acquisition or unauthorized cross-tool access if consumed by other components.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code expands beyond supply-switching into downstream ISV skill discovery, token retrieval, and cross-skill execution that can trigger external side effects on third-party shops. That broader capability increases privilege and blast radius, and it is not clearly constrained by the stated skill purpose, making unauthorized linking or misuse more likely if invoked with attacker-controlled parameters.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The function reads USER_ID from the environment and otherwise falls back to a hard-coded user identifier, which can cause operations to run under the wrong identity. In a procurement workflow, that may expose or mutate another user's matching tasks and associated business data, creating an authorization boundary failure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
`SKILL_NAME` is set to `1688-shopkeeper` while the analyzed skill metadata is `1688-distribution-procurement-newton`, so this configuration service may write credentials into the wrong skill entry. That can misroute secrets, cause unintended cross-skill access, and potentially leak or activate credentials for a different component than the user intended.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file hardcodes platform client IDs and HMAC signing secrets directly in source code. Embedded secrets are vulnerable to source disclosure, reuse across environments, and unauthorized API signing by anyone who obtains the code or logs, which is especially dangerous in a procurement automation skill that can trigger authenticated backend actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file implements extensive Douyin procurement, SKU linking, auto-order, and after-sale actions even though the skill metadata describes a 1688 distribution procurement assistant. This scope expansion can expose users to unintended high-impact operations on a different platform, weakening least-privilege assumptions and increasing the chance of unauthorized or surprising business actions if the skill is invoked in the wrong context.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code saves full after-sale automation settings, including refund/cancel behavior, which goes beyond the manifest's stated procurement, inventory sync, and price monitoring workflow. Because these endpoints can change operational policy, a user or calling agent may trigger business-critical configuration changes without expecting the skill to have that authority.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The Douyin after-sale rule management functions introduce another out-of-scope configuration surface beyond the declared 1688 procurement assistant behavior. In context, this is more dangerous because the same file already mixes platforms and operational domains, making it easier for an agent or integrator to invoke sensitive settings changes under an overly broad trust boundary.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is broad and does not clearly limit when the skill should activate or when it must refuse execution. In practice, that increases the chance of over-triggering on ambiguous commerce requests and performing sensitive procurement, account, or messaging actions without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to retrieve and configure an AK and notes that it is identity-bound, but it does not warn that this credential is sensitive, can authorize account actions, and may be stored or exposed through logs, shell history, or local configuration. In this context, the credential grants access to procurement-related APIs, so mishandling it can lead to account compromise or unauthorized business operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented workflow includes direct business-state changes such as linking/replacing supply, automatic supply switching, order actions, and seller messaging, but it does not require explicit confirmation, preview, or impact warnings before execution. In a procurement context, these actions can change inventory sources, place or influence orders, and affect merchant communications, creating financial and operational risk if triggered incorrectly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code accesses sensitive API credentials from both environment and a local config file without any user-facing disclosure, operator warning, or audit signal. The silent fallback makes secret usage harder to detect and review, increasing the chance of accidental overreach, hidden credential dependency, and misuse during deployment or troubleshooting.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The code silently scans hidden directories in the user's home folder, which may reveal installed platforms, products, or account context without any notice. Even though it only checks for `skills` subdirectories, this still constitutes undisclosed local environment inspection and can violate user expectations or internal privacy boundaries.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The send_ww_message function transmits seller communication content and associated order IDs to an external service without any built-in user confirmation, disclosure, or guardrails. In this skill context, order IDs and free-form message content may contain business-sensitive or personal information, so unintended transmission can cause privacy, compliance, or operational issues.

Missing User Warnings

High
Confidence
94% confidence
Finding
batch_urge_sellers automatically groups risk orders and sends outbound messages to multiple sellers in a loop, creating a bulk external-action capability without a confirmation gate, dry-run mode, or approval workflow. In a procurement/order-management skill, this is more dangerous because a mistaken or manipulated invocation can trigger large-scale unintended seller communications, causing spam, reputational harm, or operational disruption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal