ClawHub

1688 Distribution

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly aligned with 1688 distribution work, but it needs review because it silently handles persistent business credentials and can perform external shop and seller actions.

Install only if you are comfortable granting this skill access to your 1688 distribution account workflows. Before use, confirm where the AK file will be stored, delete or rotate it when no longer needed, review any seller message before sending, and require explicit confirmation before publishing or syncing products to downstream shops.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document says authorization URLs must not be shown to users, but later includes an explicit manual setup flow that sends the user to a concrete authorization page. Contradictory security instructions are dangerous because agents may resolve the conflict inconsistently, leading to accidental disclosure of sensitive auth flows or bypass of intended controls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code derives encryption keys from host-specific machine identifiers collected from the OS, creating a device-fingerprinting capability unrelated to the stated 1688 distribution business scope. This can expose sensitive host identity data, tie secrets to a specific machine in a brittle way, and enable unintended tracking or lockout when systems are migrated, cloned, or repaired.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code warns earlier that the backend may cap returned orders at 3000, but the summary printer states '全部返回,无分页限制', which can mislead operators into believing they are viewing a complete dataset. In an order-management workflow, this can cause missed risk orders, refunds, or fulfillment actions because users may make decisions on incomplete results.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This file implements AK credential configuration, retrieval status, reset, and clearing behavior, which is materially unrelated to the declared 1688 distribution workflow in the skill metadata. In a skill ecosystem, this kind of scope mismatch is dangerous because it can grant or manipulate credentials under the guise of an unrelated business function, increasing the risk of hidden privilege acquisition and user deception.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The operational logic is centered on AK setup and status reporting rather than any 1688 distribution tasks such as product selection, listing, order handling, or shop binding. That mismatch makes the skill more dangerous in context: users invoking a commerce workflow may unknowingly trigger credential operations, which is a common pattern for over-privileged or misleading skills.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill stores an access key locally and may automatically open a browser to obtain or validate it, but it omits a clear user-facing warning and instead instructs the agent not to mention authorization details. Hidden credential handling and browser automation reduce informed consent and can surprise users with persistent local secret storage and external navigation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill authorizes automated outbound seller messaging for risk orders without a prominent warning or explicit confirmation requirement. Sending external communications on the user's behalf can create operational, reputational, and compliance risk if messages are sent unexpectedly or with incorrect order scope.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs the agent to execute a cross-platform distribution action that modifies downstream shop listings, but it does not require an explicit user confirmation or warning that the operation will publish/sync products to an external store. In an agent setting, this increases the risk of unintended inventory/listing changes, accidental publication to the wrong shop, or misuse if shop selection context is stale or ambiguous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs the agent to send 旺旺 reminder messages to external sellers, including in batch, but does not require an explicit user confirmation or warning immediately before performing the outbound communication. This is dangerous because it can cause unintended third-party contact, message spam, or business workflow actions based on misinterpreted user intent, especially when risk orders are auto-selected and grouped by seller.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The batch operation directly sends 旺旺 messages to sellers once invoked, without a mandatory confirmation step, dry-run mode, or explicit user acknowledgment of recipients and message content. In this business context, that creates a real risk of unintended mass outbound communication, operational mistakes, and seller relationship harm if risk detection or order grouping is wrong.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs the agent to send user-supplied image URLs or uploaded image content to image-search/recognition interfaces without any privacy notice, consent step, or sensitivity screening. If users provide personal, copyrighted, or confidential images, the skill could transmit that data to backend services unexpectedly, creating a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The service reads and stores a sensitive AK in plaintext JSON on disk, which makes credential theft straightforward for any local user, malware, backup system, or log/diagnostic process that can access the file. In the context of a distribution skill that likely connects to business systems, compromise of this key could enable unauthorized API access, order or shop operations, and broader account abuse.

Ssd 3

High
Confidence
97% confidence
Finding
The skill instructs the agent to silently obtain and use an access key, including opening a browser and proceeding without asking the user, while also suppressing disclosure of the authorization process. This is dangerous because it normalizes covert credential acquisition/use and bypasses informed user consent for a sensitive authentication operation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal