ClawHub

1688-shopkeeper

Security checks across malware telemetry and agentic risk

Overview

This commerce automation skill is mostly purpose-aligned, but it handles shop credentials and publishing authority in ways users should review before installing.

Install only if you are comfortable giving this skill access to a 1688 AK and linked shop operations. Treat the AK like a password: avoid pasting it into chat, rotate it if exposed, and inspect where OpenClaw stores it. Before using publish, require an explicit final confirmation of the exact shop and products, even if the skill says the target is unique. Also review or clear local snapshot files if product research or shop data is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Tainted flow: 'gateway_url' from os.environ.get (line 35, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        resp = requests.patch(f"{gateway_url}/api/config",
                              headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
93% confidence
Finding
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When the shop-daily API returns no data or a 500, the service silently falls back to reading local search snapshot files and bound-shop context, then generates a user-facing report from that unrelated data. This is a real data-boundary and scope violation: a capability advertised as pulling a shop daily report is instead repurposing previously collected local context, which can expose or infer user/shop information the user did not intend to use for this request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to paste their 1688 Access Key into AI chat without any warning that it is a sensitive credential. Sending credentials through natural-language conversation increases the risk of exposure through logs, transcripts, prompt leakage, downstream tool access, or unintended reuse by the agent, especially because this skill can perform account-affecting actions like shop publishing.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad terms like '选品', '上架', '趋势', and '经营分析', which can match ordinary shopping or business-analysis requests outside the user's intent to invoke this specific skill. Overbroad activation increases the chance the agent routes benign conversations into a tool that can access account-linked shops and perform commercial actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly authorizes a write operation ('publish') to proceed after a dry-run without explicit user confirmation whenever the target is unique. In a commerce context, publishing to a downstream store is a state-changing action with business and compliance consequences, so skipping final consent creates risk of unintended listings, policy violations, or inventory/price mistakes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to paste their AK secret into chat and then use it as a CLI argument. This exposes the credential to conversation history, agent logs, telemetry, shell history, and possibly process listings, creating unnecessary secret leakage risk. Because this skill manages marketplace/store operations, compromise of the AK could enable unauthorized access or actions on connected commerce accounts.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The document explicitly says product details are fetched and saved to a local snapshot file, but it does not warn about local persistence, retention, access controls, or cleanup. Even if the data is 'only' product content, persistent storage can expose scraped remote content, supplier information, pricing, and business research artifacts to other users or later processes on the host, which is a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill invokes a remote workflow using shop-related analysis inputs, but the document does not clearly disclose to users that their store analysis data may be transmitted to an external service. This creates a privacy and transparency risk, especially if business metrics, product mix, or channel performance data are sensitive commercial information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The command persists an access key via a gateway or file-based fallback but does not clearly warn the user that the credential will be stored beyond the current session. For a skill that manages marketplace publishing across multiple downstream stores, silently persisting API credentials increases the risk of unintended long-term exposure through local files, backups, shared environments, or later compromise of the host.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The service transmits the API key to the gateway over a connection that defaults to HTTP and provides no visible enforcement of secure transport or explicit consent boundary in code. If the gateway is not strictly local or traffic is intercepted, the API key can be exposed in transit.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code persists the 1688 API key in a regular JSON configuration file, which may be readable by other local users, backup systems, or processes depending on filesystem permissions. Storing long-lived secrets in plaintext increases the blast radius of host compromise and accidental disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists search queries and full product result snapshots to local disk, including the user's query, channel, timestamp, and product metadata, without any indication here of consent, retention control, or access restrictions. In an agent skill that handles commercial sourcing and shop operations, these records can expose business intent, supplier research, and potentially sensitive operational data if the host filesystem is shared, backed up, or later accessed by other components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The service scans a local directory for the latest 1688 search snapshot, parses it, and uses query, channel, category, prices, and top product titles to shape output without any visible disclosure in the primary flow. That is a privacy and contextual-integrity issue because historical user search data is reused across requests and can surface sensitive commercial intent or prior activity unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The fallback path calls check_shop_status() and incorporates bound shop/account metadata into generated output and recommendations without an explicit user-facing notice in this service. In an e-commerce operations skill, bound-shop data is operationally sensitive, so using it outside the narrow daily-report retrieval flow increases the risk of unintended disclosure and cross-context data use.

Ssd 3

Medium
Confidence
99% confidence
Finding
The line instructing users to say '我的AK是 xxx' encourages direct disclosure of a live access credential in conversational input. In this skill's context, that is particularly dangerous because the credential appears to authorize 1688 account operations and linked downstream shop actions, so compromise could enable unauthorized access, data exposure, or fraudulent publishing activity.

Ssd 3

Medium
Confidence
97% confidence
Finding
The documented workflow collects a user secret directly in chat and operationalizes it for configuration, which is a classic insecure secret-handling pattern. In this context, the AK appears to grant access to 1688/shop management features such as search, store lookup, and product listing, so disclosure could let an attacker or over-privileged system act on behalf of the user or their downstream stores.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal