ClawHub

1688-product-search

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its 1688 product-search purpose, but needs review because it stores reusable account tokens in a shared local file and can fetch/upload user-supplied images without strong guardrails.

Install only if you are comfortable giving this skill 1688 API credentials and sending selected product images or image URLs to 1688. Avoid private screenshots, sensitive documents, internal URLs, localhost/cloud-metadata URLs, or other non-public resources for image search. Protect or periodically clear the shared .1688_token_cache.json file, because it may contain reusable account tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Low
Confidence
77% confidence
Finding
The documentation says each skill has independent authentication while also stating all 1688 skills share one global token cache file. That contradiction can mislead users about isolation boundaries and may cause one skill to read or overwrite tokens created by another, increasing the chance of cross-skill credential exposure or unintended token reuse.

Intent-Code Divergence

Medium
Confidence
71% confidence
Finding
Conflicting statements about token lifetime can lead operators to retain access tokens longer than intended, skip refresh handling, or store them insecurely under a false assumption of permanence. Because this skill uses shared token caching and credentialed network access, misunderstandings about credential validity materially affect security posture.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements an image upload capability to a remote 1688 API, which materially exceeds the skill’s stated read/search-oriented scope. Scope expansion is security-relevant because it introduces data exfiltration and state-changing behavior that users and reviewers may not expect, especially when the manifest describes search/product retrieval rather than uploading user-provided content.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The handler can fetch arbitrary user-supplied URLs with requests.get, creating an SSRF-style outbound fetch capability beyond the stated 1688 API integration. In an agent or server environment, this can be abused to probe internal services, access cloud metadata endpoints, or retrieve restricted network resources and then process them as images.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script exposes a standalone upload-image command that lets callers upload arbitrary local files to the remote 1688 image-upload API, which is broader than the advertised search-oriented scope. In an agent setting, this expands the skill's data egress capability and could be abused to transmit local image files or sensitive visual data off-host under the guise of a search feature.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The function downloads arbitrary user-supplied URLs, not just official 1688 endpoints, which introduces a server-side request forgery style capability and broadens network access beyond the stated use of official APIs. In an agent/runtime environment, this can be used to probe internal services, access metadata endpoints, or retrieve data from unexpected locations if network egress is available.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The image_search_by_url flow combines arbitrary external URL retrieval with subsequent upload of the fetched content to a third-party API. This creates both an SSRF-like network primitive and a data-transfer path to an external service, making the skill materially more dangerous than a normal product-search integration.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation includes an image upload interface that sends base64-encoded image data to an external 1688 service, but it does not warn users that local image contents will be transmitted off-system. In an agent skill context, this can lead to inadvertent exfiltration of sensitive screenshots, documents, or personal images if users or upstream agents assume uploads are purely local processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module persists both access_token and refresh_token to a globally shared cache file under the user's home directory, which increases the chance that other skills, processes, or users on the same system can read long-lived credentials. The skill context makes this more dangerous because the description explicitly says token cache is globally shared across 1688 skills, expanding the trust boundary and blast radius of a compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code writes both `access_token` and `refresh_token` to a globally shared cache file under the user's home directory, explicitly for all 1688 skills to share. If another local skill, process, or user on the same system can read that file, they can reuse or refresh credentials and act as the authenticated account, making this a real credential exposure risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code base64-encodes local image content and sends it to an external API with no visible disclosure, confirmation, or consent control in this component. That creates a real privacy and data-handling risk because user-provided images may contain sensitive content or metadata, and the skill context does not make outbound image transmission obvious from a search-focused description.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function reads an arbitrary local file path, base64-encodes the file contents, and uploads them to a remote 1688 API. In an agent-skill context, this creates a real exfiltration risk if an upstream prompt, tool chain, or untrusted caller can cause the skill to upload sensitive local files instead of intended images, especially because the code has no path restriction, file-type validation, or explicit consent gate.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This flow silently downloads user-referenced image content and uploads it to the 1688 service without any disclosure or confirmation. That creates a privacy and consent risk because users may not realize their supplied URL content is being copied, processed, and transmitted to a third party.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal