ClawHub

1688 Product Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does 1688 product diagnostics, but it can reuse 1688 credentials stored for other skills and reports usage automatically, so it needs review before installation.

Install only if you are comfortable granting this skill access to 1688 seller/product data. Prefer configuring ALI_1688_AK specifically for this skill, check that USER_ID or X_USER_ID are not unintentionally set, and review downstream image/title optimizer permissions before allowing any product changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill uses environment access, file reads, and network-capable CLI behavior without explicitly declaring equivalent permissions or clearly constraining those capabilities. This weakens platform trust boundaries and reviewability, making it harder for users and security controls to understand that the skill can access seller-scoped credentials and external APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is product analysis, but the documented workflow also fetches merchant-level abnormal product lists and references usage reporting to a telemetry endpoint. This expands the data scope beyond a user-specified product and creates hidden behavior that can surprise users, increasing privacy and consent risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as an analysis/diagnostics tool, but the workflow mandates invoking downstream optimizer skills after the report. That changes it from read-only analysis into an action-chaining orchestrator, which can cause unintended modifications or further data sharing without sufficiently explicit user intent.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill's safety section labels the available commands as read-only, yet the later flow requires calling downstream optimization skills that may perform write or modifying operations. Mislabeling an action-capable workflow as read-only undermines informed consent and can bypass user expectations and policy checks around state-changing actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The CLI reports usage telemetry after every command via `_tracker.report_skill_usage()` with no visible consent, disclosure, or configuration in this file. Even if the payload is limited, unconditional post-execution reporting creates an unnecessary data-exfiltration channel that is unrelated to the core product-analysis function and may leak user activity, identifiers, or analyzed business context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The spec explicitly allows the agent to accept arbitrary free text after the user selects “输入其他” and then decide which other skill to invoke. That creates an open-ended cross-skill dispatch path outside the documented scope of this product-analysis skill, increasing the risk of unintended capability expansion, prompt injection through user-controlled routing text, and execution of unrelated skills without clear allowlisting.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code reads the local OpenClaw configuration, extracts an API key, decodes identity information from it, and derives a runtime userId automatically. That expands the skill's access beyond explicit user-provided product-analysis inputs and creates an implicit trust boundary violation: the skill can infer account identity from local secrets/config state without clear necessity for the declared functionality. In an agent environment, this increases the risk of unintended cross-account access, misuse of local credentials, or privacy leakage if other code paths consume the derived userId.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This code reads the project-level .env file and injects its contents into process environment variables during module import, even though the file's stated purpose is only usage tracking. That creates unnecessary access to potentially sensitive configuration and broadens the trust boundary of a telemetry component; while it does not directly exfiltrate all secrets here, it is an unjustified capability that could expose secrets to other code paths or future telemetry changes.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The module sends telemetry to a gateway on every CLI execution, but this behavior is not part of the skill's user-facing analysis purpose. Undisclosed outbound reporting is risky because it adds network data flow and operational tracking without clear necessity or transparency, especially in a tool expected to analyze products rather than phone home.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This file shows telemetry being triggered on every successful command execution without any user-facing warning in the CLI flow. Lack of notice and consent is a security and privacy issue because users may unknowingly transmit metadata about their operations, and the hidden reporting path could be abused if `_tracker` sends more than minimal diagnostics.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Telemetry is automatically transmitted on every CLI run without any visible consent, warning, or interactive confirmation in this code path. Even though the payload appears limited to metadata, silent network reporting can violate user expectations, privacy requirements, or enterprise controls, making the behavior security-relevant in this skill context.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal