1688 Shop Health Check

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed 1688 shop analytics tool, but users should be careful with its API key storage, telemetry, and optional handoff to optimizer skills.

Install only if you are comfortable giving this skill a 1688 AccessKey for shop analytics. Use a least-privileged or dedicated key if possible, verify OPENCLAW_GATEWAY_URL points to your intended local gateway before running configure, and review/disable telemetry if your environment has strict privacy rules. Treat optimizer handoff cards as action requests and confirm the downstream optimizer skills separately before using them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (21)

Tainted flow: 'gateway_url' from os.environ.get (line 32, credential/environment) → requests.patch (network output)

Critical

Category: Data Flow
Content: headers = {} if token: headers["Authorization"] = f"Bearer {token}" resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5) return resp.ok except Exception:
Confidence: 90% confidence
Finding: resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill's workflow goes beyond diagnosis by instructing the agent to trigger downstream item-optimization skills on specific products. In context, this makes the skill more dangerous because a user asking for analysis may unintentionally cause operational changes or hand off sensitive product context to other installed skills.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Automatic usage reporting to an external gateway is not necessary for the stated purpose of store health analysis, and it creates unnecessary data exposure risk. In this context, the skill may process commercially sensitive shop metrics and operational metadata, so unsolicited external transmission increases privacy, compliance, and trust risks.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The documented `configure` command introduces local credential handling that is not reflected in the skill's stated health-analysis purpose, which expands the trust boundary and operational risk. Undocumented credential-management behavior can surprise users, encourage secret entry into an unreviewed local flow, and make accidental secret exposure or insecure storage more likely.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is described as a shop health analysis tool, but this interaction spec expands its behavior into directly triggering downstream item optimization skills. That creates a scope/authority mismatch: users and reviewers may consent to diagnostic analysis while the skill is actually able to initiate operational actions on specific products. In agent systems, this kind of hidden capability expansion increases the risk of unauthorized cross-skill action chaining.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: When no abnormal items are detected, the skill still collects an arbitrary `offerId` and dispatches optimization actions, which is not justified by the diagnostic result. This bypasses the stated guardrail of acting only on detected abnormalities and turns a health-check skill into a general-purpose launcher for editing adjacent item workflows. That broadens capability beyond user expectations and weakens contextual authorization.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The document gives this skill orchestration authority to invoke other optimization skills directly after a card selection. Cross-skill execution is sensitive because it can convert an informational assistant into an action-taking coordinator, potentially bypassing normal review, user intent verification, or least-privilege boundaries. In the context of a store health analyzer, that coupling is not strictly necessary and increases blast radius.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Allowing '输入其他' free text to be interpreted and used to decide which other skill to call leaves capability boundaries open-ended. This introduces an intent-routing surface where untrusted user input can steer the agent into tools or skills outside the narrowly declared purpose of shop health analysis. Compared with the fixed-option pathways, this is more dangerous because the reachable action space is not tightly enumerated.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The referenced file defines a generic report-to-visualization skill rather than behavior specific to the declared 1688 shop health analysis skill. This kind of skill/metadata mismatch can cause the wrong capability to trigger, route sensitive business data into an unintended transformation flow, and bypass user expectations or downstream guardrails.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The instructions require use of a separate read_file capability on another reference file even though this skill is presented as a 1688 shop health analysis skill. Cross-skill or auxiliary tool requirements can expand the trust boundary, create hidden dependencies, and enable prompt-instruction chaining from unrelated files that may alter behavior in ways the user did not request.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This code performs telemetry reporting on every CLI invocation, which is outside the core stated purpose of shop-health analysis and is implemented silently. Even though the payload shown is limited to skill name, version, scene, and channel, undisclosed outbound tracking creates privacy, trust, and governance risk and can become a data exfiltration path if the HTTP helper behavior changes.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The module reads the project .env at import time and injects its contents into os.environ, expanding the process environment beyond what this file actually needs. In a skill whose purpose is shop analytics, broadly loading local configuration creates unnecessary access to potentially sensitive values and increases the blast radius if other code later transmits environment-derived data.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: The skill is described as shop-health analytics, but this file performs persistent credential setup and configuration mutation both locally and through a gateway API. That mismatch increases risk because users may grant trust expecting analysis behavior while the skill also changes host configuration and stores secrets, broadening the attack surface beyond its declared purpose.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill documents automatic external usage reporting without any user-facing warning or consent flow. Silent outbound transmission is dangerous because users may expose operational metadata or potentially sensitive usage context to a remote service without informed approval, especially in a business analytics setting.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The CLI unconditionally attempts to report skill usage after every command execution, and there is no visible consent, disclosure, opt-out, or data-minimization control in this file. Even if telemetry failures are ignored, silent post-execution reporting can leak user behavior, command usage patterns, and potentially contextual metadata in ways users do not expect, which is a privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to configure an AccessKey locally but provides no warning that the value is sensitive, no guidance on secure handling, and no indication of storage protections. In an agent skill context, this can lead operators to paste production credentials into insecure environments, commit them to disk, or expose them through logs and shell history.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger description uses broad phrases such as requests for visualization or chart-based presentation, which can overlap with ordinary user requests outside the intended 1688 analysis workflow. Over-broad activation increases the chance this skill is invoked unexpectedly, causing instruction hijacking, wrong-task execution, or disclosure of transformed data under the wrong policy context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code sends telemetry on each CLI execution and suppresses all errors, which makes the behavior easy for users to miss and difficult to audit. Silent outbound network activity without clear notice is a supply-chain and privacy concern, especially in local CLI tooling where users may not expect external reporting.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The command accepts a sensitive AK and persists it via gateway or file without any explicit notice about where the secret will be stored, persistence scope, or operational consequences. That increases the risk of users unintentionally writing credentials to less secure storage or shared environments, which can lead to credential exposure and unauthorized API access.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The function persists the API key in a configuration file without any visible notice, consent flow, or protections such as encryption, permission hardening, or secret-store usage. Storing plaintext credentials on disk can expose them to other local users, backup systems, logs, or later compromise of the host.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code transmits the API key to a gateway service without any visible user-facing disclosure or explicit confirmation, and the default endpoint uses HTTP rather than HTTPS. Even if the target is intended to be local, silent transmission of secrets increases risk from misconfiguration, interception, or redirection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal