ClawHub

1688 Distribution Product Selection Newton

Security checks across malware telemetry and agentic risk

Overview

This skill’s 1688 product-selection purpose is mostly coherent, but it handles and stores sensitive credentials while disabling HTTPS certificate checks for authenticated API traffic.

Install only if you trust the publisher and need authenticated 1688 product-selection access. Treat the AK and ISV tokens as account credentials, do not paste or share them casually, and prefer a version that enables normal HTTPS certificate verification before using real business credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell commands, reads local files, uses environment-backed credentials, writes configuration/token files, and performs network/API operations, but does not declare corresponding permissions. This creates a capability transparency gap: the user or platform may believe the skill is limited to product selection while it can modify local state and handle sensitive credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is product selection and analysis, but the skill also performs credential setup, local configuration writes, dependency installation, and ISV token retrieval/caching. That mismatch is dangerous because it broadens the attack surface beyond the user-expected business function and could lead to silent persistence of secrets or system changes.

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
This example script performs local environment inspection and package installation behavior that is unrelated to the stated 1688 product-selection skill. Purpose-mismatched code in a skill increases trust confusion and expands the local execution surface, making users more likely to run unnecessary code with system-modifying effects.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The code can install a Python package on the local machine, which is unjustified by the business purpose of a 1688 product-selection assistant. Unnecessary package installation increases supply-chain and environment-modification risk, especially if users run example files assuming they are part of normal skill operation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The HTTP client reads proxy configuration from /etc/environment, which expands the skill's trust boundary to host-level configuration outside its stated product-selection purpose. This can route API traffic through an attacker-controlled or unexpected proxy, exposing signed requests, metadata, and response contents; the risk is amplified because this same module also disables TLS certificate verification.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This command implements AK credential configuration and persistence, which is materially different from the declared product-selection functionality of the skill. That mismatch expands the skill's trust boundary and can mislead users into providing sensitive credentials to a capability they would reasonably expect to only perform search and analysis tasks.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The reference document defines post-deployment workflow logic ('continue shipping remaining items') that goes beyond the declared scope of this capability, which is limited to querying and analyzing distribution product information. In an agentic system, embedding operational follow-up behavior in a data-reference file can cause the model to initiate unintended commerce actions or pressure the user into repeated transactions without that behavior being explicitly authorized by the skill manifest.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly tells users where the AK credential file is stored and encourages them to inspect it, but does not warn that the file contains sensitive authentication material that must not be shared, logged, or committed. In a skill centered on authenticated API access, this increases the chance of credential leakage through screenshots, terminal capture, support requests, or repository check-ins.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the user to provide an AK that is explicitly bound to the user identity, then configures it for subsequent use without any clear secret-handling, masking, retention, or consent safeguards. Requesting and processing identity-bound credentials in conversational flow is highly sensitive and can enable account misuse, data access, or unauthorized API actions if exposed or mishandled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that ISV tokens are cached to a local file shared across skills, but provides no controls around file permissions, encryption, lifecycle, or cross-skill access boundaries. Local plaintext token caching can lead to token theft or unintended reuse by other tools or users on the same environment.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script prompts the user for an AK credential and immediately passes it to `configure_via_gateway` without telling the user how the secret will be stored, transmitted, or protected. In a distribution/product-selection skill that relies on account access, credential handling is expected, but the lack of transparency and safeguards still creates a real security weakness because users may expose a sensitive token without understanding the risk.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The request is made with verify=False, disabling TLS certificate validation and making HTTPS vulnerable to man-in-the-middle interception and tampering. In this skill, the client sends authenticated API requests and processes business responses, so an attacker on the network or controlling a proxy could read or modify traffic, steal secrets, or forge API results.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The service persists an ISV access token to a local file via save_token(app_key, str(token), expire_hours) without any visible safeguards in this file such as encryption, restrictive file permissions, or user disclosure/consent. Because this skill handles distribution and token-based API access, local plaintext token storage can expose reusable credentials to other local users, processes, logs, backups, or misconfigured deployments, enabling unauthorized API access until expiry.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code persists an AK via gateway or file storage immediately after validation, but does not present an explicit warning or confirmation that the secret will be stored beyond the current session. In a skill that appears focused on product selection rather than secret management, this increases the chance of unintended credential disclosure, insecure retention, or user misunderstanding about persistence.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal