ClawHub

1688 Shop Operate

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real 1688 shop diagnostics skill, but it needs Review because it handles account credentials in risky ways and sends automatic usage reports.

Install only if you are comfortable giving this skill a 1688 AK and letting it store that credential locally. Prefer the browser AK flow over pasting an AK into chat or a command line, avoid running `configure --status` where output may be logged, and clear the AK with `configure --clear` when finished. Treat the automatic usage reporting and local callback server as Review items, especially in shared or managed workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions, yet the documentation clearly indicates access to environment variables, local file read/write, shell execution, network communication, and browser-driven auth flows. This under-declaration prevents informed consent and review, especially because the skill handles AK credentials and performs outbound telemetry, creating a materially broader trust boundary than advertised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a shop-diagnosis tool, but the documented behavior also includes credential acquisition, browser/OAuth authorization, token lifecycle management, local secret storage, and usage reporting. This mismatch is dangerous because users may invoke an analytics skill without realizing it will collect credentials and transmit metadata off-host, which defeats meaningful user consent and security review.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation for a diagnostics skill also instructs users to obtain, configure, and locally store an AK, including browser-driven authorization and encrypted storage. Even if legitimate, bundling credential handling into a nominally analytic skill increases attack surface and can normalize sensitive secret entry in a context where users may not expect it.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
Automatic telemetry on every CLI invocation introduces undisclosed network exfiltration of usage metadata from a skill whose primary purpose is diagnostics. Even if the payload is limited, silent transmission can leak operational patterns, tenant identifiers via skill names/channels, or sensitive business activity timing without explicit user approval.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill labels diagnostic commands as read-only, but elsewhere states that diagnosis results are automatically persisted for downstream reuse. This is a security-relevant contradiction because users and reviewers may assume no local writes occur, while the implementation may retain potentially sensitive shop analytics data beyond the immediate session.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is presented as a 1688 shop health diagnosis tool, but this CLI is primarily an OAuth/token-management and AK-retrieval entrypoint. That mismatch is security-relevant because it expands the skill's privileges and user trust boundary far beyond the declared purpose, increasing the chance of unnecessary credential collection and misuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`get_ak` invokes browser-based AK retrieval, which is not justified by a shop-diagnosis use case and suggests direct credential or secret acquisition. In the context of an analysis skill, collecting AK materially increases risk because it can enable broader API access than users expect from a diagnostic tool.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The CLI dynamically discovers and executes arbitrary capability modules from the `capabilities` directory, allowing the effective behavior of the skill to expand beyond the declared diagnostic scope. This increases attack surface and makes review of the skill's true functionality harder, especially if additional modules are added later without equivalent scrutiny.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring identifies the code as a generic open-skill template CLI rather than a purpose-built shop diagnosis component. That discrepancy reinforces that this file may be repurposed infrastructure with broader capabilities than the skill metadata claims, which is risky in a credential-handling context.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code performs outbound telemetry on every CLI invocation, which is behavior not described by the stated shop-diagnosis purpose. Hidden network reporting creates a trust and privacy risk because users may not expect the tool to contact a remote gateway merely to run a local diagnostic command.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module reads the project .env and injects all key-value pairs into the process environment at import time, even though the stated purpose only needs a few metadata values. This broad environment loading expands access to secrets present in .env and increases the chance that unrelated credentials become available to other code paths or libraries in the same process.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module derives an encryption key from machine identifiers and persists a fallback device ID, binding secrets to a host fingerprint unrelated to the stated shop-diagnosis purpose. This introduces unnecessary collection/use of stable device identifiers and creates opaque local secret-binding behavior that can hinder portability, surprise users, and increase privacy risk if reused elsewhere in the skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a local OAuth callback server, token exchange, AK handling, and shutdown/control endpoints, which materially exceeds the declared scope of a shop diagnostics skill. In a skill presented as analytical/read-only, hidden credential capture and authorization plumbing increases the chance of deceptive privilege collection and unexpected access to user accounts.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code persists access tokens, refresh tokens, and related metadata locally, despite the skill being described as a health-diagnosis/analysis tool. Storing reusable credentials expands the blast radius from a transient auth flow to durable account access if the local store is exposed or misused.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes functionality to validate and save an AK secret, which is unrelated to the stated diagnostic purpose and introduces credential-management behavior. Accepting and storing API keys inside a local callback service can enable unauthorized account/API access if abused or if storage protections are weak.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The module name and docstring imply an encrypted token store, but the implementation writes tokens and metadata as plaintext JSON. This can mislead developers and users into assuming stronger protection than actually exists, increasing the risk of credential exposure through local file access, backups, logs, or forensic collection.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module comment claims only OAUTH_1688_-prefixed token variables are updated, but write_env accepts arbitrary keys and will merge them into the .env file. This contract mismatch can let callers overwrite unrelated configuration or secrets under the false assumption that writes are scope-limited.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This module fetches and caches the full list of available permission scopes from a server, which is unrelated to the declared purpose of store health diagnosis and analytics. Even without directly granting permissions, scope enumeration expands knowledge of privileged platform capabilities and can support later over-privileged consent requests, capability probing, or internal API reconnaissance.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This page implements an OAuth callback and token-exchange flow, including automatic submission of an authorization code to a local service, which is unrelated to the declared purpose of shop health diagnosis. That mismatch is dangerous because it can be used to obtain or broker account access under the guise of a benign analytics skill, and the hidden local exchange behavior reduces user visibility into what credentials are being handled.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The page can trigger local control actions against a localhost service, including exchanging a code and calling /api/shutdown, even though the skill claims to only perform diagnostic analysis. A skill with unjustified ability to drive a local authorization server expands its reach from passive analysis into local process orchestration, creating opportunity for credential interception, service abuse, or premature shutdown of a local agent component.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Telemetry is described internally, but there is no prominent user-facing warning that invoking the skill causes automatic outbound reporting. Lack of transparent notice undermines consent and can lead to silent metadata disclosure in environments where business usage patterns are sensitive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to solicit the user's Access Key and pass it as a command-line argument to `cli.py configure <AK>`. Secrets on command lines are commonly exposed through shell history, process listings, logs, telemetry, and debugging output, and the instructions provide no warning, masking, or safer secret-handling path. In this context, the skill genuinely needs an API credential to operate, which makes the behavior understandable, but the chosen handling method is still unsafe.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document describes automatic reporting of skill usage to a remote gateway, but the behavior is framed as internal telemetry without a prominent user-facing disclosure or consent model. In an agent skill context, undisclosed network reporting can undermine user expectations, create privacy/compliance issues, and conceal external data flows that reviewers may not anticipate. The risk is higher because this skill's stated purpose is shop diagnostics, while the file describes unrelated usage reporting to an external endpoint.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Network telemetry is sent silently on every CLI execution, and failures are deliberately suppressed, making the behavior difficult for users to notice. In a skill focused on shop health diagnosis, undisclosed call-home behavior is more suspicious because it is unrelated to core analytic functionality and may violate user expectations or policy.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code persists the AK to local disk in `AK_STORE_FILE` without any visible permission hardening, access control, or user-facing notice in this component. Even though the value is encrypted before storage, local secret persistence increases exposure if the encryption key/material is accessible on the same host or if file permissions allow other local users or processes to read the file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal