ClawHub

1688 Shop Jushuitan Erp

Security checks across malware telemetry and agentic risk

Overview

This ERP skill is mostly coherent, but it stores sensitive business API credentials and includes a broad raw API call path without strong scoping or per-use confirmation.

Install only if you are comfortable storing Jushuitan ERP credentials locally in plaintext and allowing the agent to use them for API calls. Before use, confirm which profile is active, which API path/data domain will be queried, and avoid granting API permissions beyond the specific read-only data needed for your workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script includes a public IP discovery command that is unrelated to core ERP data connection and analysis. Even though it only queries a benign external service, it expands the skill’s network-recon capability and can reveal host/network metadata without clear need, which is risky in an agent skill handling business credentials.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill includes broad natural-language trigger examples such as colloquial requests to save credentials or connect ERP access, which can increase the chance of accidental invocation during normal conversation. In this skill, accidental triggering is more concerning because it handles sensitive ERP credentials and consent/state files, so a false activation could prompt collection or storage of secrets the user did not intend to persist.

Natural-Language Policy Violations

Medium
Confidence
74% confidence
Finding
The skill mandates a fixed Chinese consent text and interaction flow without offering language choice or confirming the user's preferred language. This can undermine informed consent if the user is not fully comfortable reading Chinese, especially because the skill governs access to shop, product, and inventory data and writes consent records locally.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default prompt broadly instructs the model to connect the user's ERP account and analyze operations without constraining scope, required consent, or limiting which data/actions may be accessed. In a skill that handles sensitive business systems and locally stored credentials, this can encourage overbroad invocation and unintended access to merchant data or operational functions.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill instructs the agent to retrieve the host's current public IP via a script or external service without an explicit user consent or privacy notice. A public IP is environment metadata that can disclose network location or infrastructure details, so automatically fetching and revealing it can leak sensitive operational information beyond the user's original request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `save-profile` flow stores sensitive API credentials locally and silently overwrites an existing profile of the same name without warning or confirmation. This can cause accidental credential loss or persistence of secrets on disk in a location the user may not expect, increasing the chance of misuse or exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `callApi` function automatically sends stored `access_token` and `app_key`, plus a signature derived from the secret, to a remote endpoint without any runtime disclosure or confirmation. In a credential-management skill, implicit transmission of stored secrets is sensitive because users may trigger calls without understanding which credentials are being used or where data is being sent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal