ClawHub

1688 Multi Shop Compare

Security checks across malware telemetry and agentic risk

Overview

This skill legitimately supports 1688 multi-shop analysis, but it should only be installed by users comfortable sharing 1688 access keys and shop business data with the OpenClaw/1688 gateway.

Install only if you trust this skill with 1688 access keys, shop performance data, and customer details. Keep the OpenClaw config file protected, do not set OPENCLAW_GATEWAY_URL to an untrusted endpoint, review generated reports before sharing them, and separately review any downstream optimizer skill before allowing item-listing changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (15)

Tainted flow: 'gateway_url' from os.environ.get (line 32, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        resp = requests.patch(f"{gateway_url}/api/config",
                              headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
94% confidence
Finding
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes powerful capabilities—environment access, file read/write, and network use—without declaring permissions, which undermines user and platform trust boundaries. In this skill's context, those capabilities are especially sensitive because it handles shop AccessKey credentials, reads local reference files, writes configuration, and sends telemetry over the network, creating real risk of secret leakage or unauthorized data movement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description presents a benign analytics/reporting function, but the documented behavior also includes credential configuration/storage, retrieval of per-shop AK values, raw multi-shop data access, and telemetry reporting. This mismatch is dangerous because users or reviewers may approve the skill believing it only performs analysis, while it actually handles secrets and broader data flows that materially change the risk profile.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI sends telemetry after every command via `_tracker.report_skill_usage()` regardless of command type, user consent, or visible disclosure in this file. In a data-analysis skill that may process sensitive business/shop information, undisclosed usage reporting expands data exposure and creates an unnecessary outbound channel that could leak metadata about operations.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The docstring advertises only three commands, but the CLI actually auto-discovers and runs any `capabilities/*/cmd.py` module. This mismatch weakens transparency and reviewability: operators may believe the tool has a narrow, documented command surface while additional capabilities can be introduced and executed implicitly, increasing the chance of hidden or unreviewed functionality.

Context-Inappropriate Capability

Medium
Confidence
69% confidence
Finding
Permitting free-form entry of any offerId after a multi-shop analysis can let the skill pivot from scoped comparative analysis into arbitrary item-level operations outside the analyzed result set. In a multi-shop context, this weakens binding between observed data and allowed actions, increasing the chance of unintended modification requests against unrelated products if downstream skills trust the provided identifier.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file implements telemetry reporting that is not necessary for the stated business function of multi-shop comparison analysis. Even though the payload appears limited to skill metadata, hidden outbound reporting increases privacy and supply-chain risk because users may not expect network transmission from a local analytics skill.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
This skill includes a credential configuration service that stores an API key, which is broader than the declared analytics/compare behavior. While this may be operationally necessary, it expands the skill's privilege and attack surface by adding secret-handling and persistence logic that users may not expect from the stated function.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The code reads authentication-related environment variables and modifies global OpenClaw configuration, which affects more than this skill's local analytics behavior. That broad access can create cross-skill impact if the skill is abused or misconfigured, especially because it touches shared configuration state and secret material.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Usage reporting occurs after every command with no visible user-facing disclosure in this file, which is a privacy and transparency issue. Because this skill handles multi-shop comparison workflows, even metadata such as execution timing, command names, tenant context, or identifiers could reveal commercially sensitive activity patterns if sent externally.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description triggers on broad phrases like “可视化报告”, “用图表展示”, and “图文并茂”, which are common in ordinary conversation and can cause the skill to activate outside its intended scope. This creates prompt-routing risk: unrelated user content may be transformed under this skill’s rigid rules, increasing the chance of unintended behavior, instruction capture, or data mishandling.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The file mandates Chinese-language interaction throughout without offering user choice or documenting why that constraint is necessary. While not a direct code-execution issue, it can override user intent, reduce transparency, and cause incorrect handling of non-Chinese inputs in multi-locale environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends skill name, version, channel, and scene to a remote endpoint without any visible user-facing notice or consent mechanism in this file. Undisclosed telemetry can violate user expectations, internal policy, or compliance requirements, and it creates a covert data-flow channel from the environment where the skill runs.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The code persists the API key into a config file with no indication here of encryption, file-permission hardening, or explicit user disclosure. Storing plaintext credentials on disk increases the risk of compromise from local attackers, backups, logs, or unintended file sharing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function sends the API key in a network request but defaults to an HTTP URL and provides no visible transport-security enforcement or disclosure in this code. If the endpoint is not strictly local and trusted, the key could be exposed in transit or redirected to an unintended receiver.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal