ClawHub

1688 Product Find

Security checks across malware telemetry and agentic risk

Overview

This is a real 1688 product-search skill, but it handles access keys and local credentials in ways users should review before installing.

Install only if you are comfortable giving this skill a 1688 AK and allowing it to store credentials locally. Use a least-privileged or dedicated AK, avoid pasting secrets into shared chats, treat CLI output/logs as sensitive, and review the automatic telemetry and runtime dependency installation behavior before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
    req_file = str(SKILL_DIR / "requirements.txt")
    result = subprocess.run(
        [sys.executable, "-m", "pip", "install", "-r", req_file, "-q", "--disable-pip-version-check"],
        capture_output=True, text=True,
    )
Confidence
95% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", "-r", req_file, "-q", "--disable-pip-version-check"], capture_output=True, text=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The manifest exposes shell, file, environment, and network-capable behavior without declaring permissions or boundaries to the user. That creates hidden capability risk: an agent or user may invoke a seemingly simple product-search skill that can also read local files, access secrets via env vars, and make outbound requests, reducing transparency and weakening policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is product search, but the skill also performs AK acquisition/configuration, token lifecycle operations, local callback handling, and telemetry. This description-behavior mismatch is security-relevant because users and calling agents may grant trust or invoke the skill under false assumptions, enabling credential handling and network activity that were not clearly consented to.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims to be for product finding, but instructs the agent to export search results into DingTalk tables via another MCP tool. This is a scope expansion into external data egress/integration, which can move scraped or user-derived data into third-party systems without that capability being declared in the manifest.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Including AK acquisition and configuration inside a product-search skill expands it into credential collection and secret management. Even if intended for convenience, bundling secret onboarding into an unrelated-looking skill increases the chance that users or agents disclose credentials without understanding the trust implications.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill is described as product-finding, but the CLI exposes broader OAuth and AK management operations including token retrieval and authorization flows. This overbroad capability increases blast radius if the skill is invoked unexpectedly or misused, because it can access and expose sensitive credentials unrelated to simple product search.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Installing dependencies via pip at runtime gives the skill the ability to fetch and execute third-party code dynamically. In an agent skill context this is especially dangerous because the action occurs automatically during registration/first run, potentially bypassing review and exposing the environment to supply-chain compromise.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The telemetry helper parses the project .env file and injects all discovered key/value pairs into process environment variables, even though only three non-sensitive metadata fields are needed. Reading broad .env content inside a product-finding skill expands access to secrets unnecessarily and creates an avoidable pathway for sensitive configuration to influence downstream network behavior.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code reports skill usage to a remote gateway on every CLI execution, but this behavior is not disclosed in the skill description and is unrelated to the core product-search function. Undisclosed telemetry is a security and privacy concern because users and operators cannot make an informed decision about outbound data flows.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements a full OAuth 2.1 authorization flow and a separate AK credential acquisition mode, which is unrelated to the declared product-finding capability. In the context of a shopping/product search skill, adding generic credential collection substantially expands privilege and creates a path to harvest or misuse user or platform credentials beyond the skill’s stated purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The AK mode is an additional credential-retrieval pathway that goes beyond standard OAuth and is not justified by the skill metadata. Hidden or weakly justified alternate credential flows are dangerous because they can be used to obtain long-lived or high-value secrets that enable broader account or API access than users expect.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file implements API-key configuration, storage, deletion, and discovery logic, which does not align with the declared product-finding capability. That mismatch is security-relevant because it expands the skill’s privileges to secret management without clear user-facing justification, increasing the chance of hidden credential handling and misuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads credentials from environment variables, persists them to disk in plaintext JSON, enumerates candidate config locations, and deletes the stored secret. For a product-search skill, this is an unjustified secret-management surface that can expose authentication material through local compromise, unintended reuse, or broader agent access.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module claims an encrypted/keychain-backed storage fallback, but the implementation writes tokens and metadata directly to a local JSON file without encryption. Even with file mode 0o600, plaintext secrets are exposed to the local user account, malware running as that user, backups, logs, or accidental file disclosure, making credential theft much easier.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This page loads executable JavaScript from an external third-party CDN (`o.alicdn.com`) with no integrity pinning or local bundling. If that script is compromised, changed unexpectedly, or abused by a trusted upstream, it gains script execution in the page context and can tamper with product data, user interactions, links, and any accessible browser-side secrets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Every CLI invocation silently reports usage telemetry to a gateway, but this is disclosed only later in the document rather than upfront in the primary behavior description. Hidden telemetry is dangerous because it causes off-system data transmission without clear informed consent, and metadata such as skill name, version, channel, and execution timing can still be sensitive in enterprise environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill silently performs pip installation as a side effect of startup, without warning or confirmation. Even if the packages are legitimate, this violates least surprise and creates an unsafe execution path where network access and code execution happen before the user can assess risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The capability trigger list includes very broad natural-language phrases such as “比价”, “对比”, and “哪家便宜”, which can easily appear in ordinary conversation and cause unintended capability activation. In an agent that can process links, local image paths, and invoke CLI actions, overbroad triggering increases the chance of executing the wrong workflow, handling unintended user-supplied artifacts, or bypassing narrower intent validation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to automatically run `get_ak`, which starts a local callback server and opens a browser for authorization, before any explicit consent prompt to the user. Even if this is intended as a convenience feature, triggering local listeners and browser-based auth flows without a clear warning can surprise users, expose local state, or cause unintended authorization actions in an agentic context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manual fallback instructs the agent to ask the user to provide their AK directly, but it does not treat the AK as a secret or warn against sharing it in an insecure channel. In an LLM/agent environment, prompting users to paste sensitive credentials into chat increases the risk of accidental disclosure, logging exposure, or reuse by unauthorized parties.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad and overlap with ordinary shopping conversation, increasing the chance the capability activates without clear user intent. Because this skill can fetch external product pages and transmit extracted image URLs to a backend search API, accidental triggering can lead to unintended network access and processing of user-supplied links or IDs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The capability explicitly performs silent fetching of product pages, extracts image URLs, and submits them to a search API, but the documentation does not require notice or consent for that data flow. This is dangerous because users may not realize their provided links, derived product images, and related metadata are being transmitted to third-party or backend services, creating privacy and compliance risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad enough to match common conversational language such as '帮我找' or '想要XX', which can cause the skill to activate unintentionally. That can route unrelated user requests into product-search behavior, leading to privacy leakage of user text to external APIs or unintended actions in an agent pipeline.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly states that skill invocation metadata is reported to a remote gateway by default, but it reads as an implementation note rather than a user-facing privacy/security warning. This can lead operators or downstream integrators to unknowingly transmit metadata such as skill name, version, channel, and scene off-system, which is a real transparency and privacy issue even if the data is limited.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Telemetry is sent automatically for every CLI invocation with no visible warning, consent, or runtime disclosure, and failures are silently ignored. This design reduces transparency and can mask unexpected outbound communication, which is especially problematic in local CLI tooling that may run in sensitive environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal