ClawHub

1688 Source Suppliers

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly a 1688 supplier lookup tool, but its access-key setup stores credentials under a different skill name and handles secrets with weak disclosure, so users should review it before installing.

Install only if you are comfortable giving this skill a 1688 access key. Prefer platform-managed secrets or an environment variable over pasting the AK into chat, verify that it does not overwrite a separate "1688-shopkeeper" configuration, and rotate the AK if it was entered through chat or command history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Tainted flow: 'url' from os.environ.get (line 101, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
raise AuthError("AK 未配置")

    try:
        resp = requests.post(url, headers=headers, data=body_str, timeout=timeout, stream=True)
        resp.raise_for_status()
    except requests.exceptions.HTTPError as e:
        _handle_http_error(e)
Confidence
93% confidence
Finding
resp = requests.post(url, headers=headers, data=body_str, timeout=timeout, stream=True)

Tainted flow: 'gateway_url' from os.environ.get (line 35, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        resp = requests.patch(f"{gateway_url}/api/config",
                              headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
96% confidence
Finding
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes a local Python CLI, requires an environment secret (`ALI_1688_AK`), instructs reading capability docs from disk, and exposes a `configure` command that likely writes credentials or config state, yet it declares no explicit permissions. This mismatch can cause the agent platform to under-enforce access controls, letting a seemingly low-risk supplier lookup skill perform file, environment, and network operations without transparent review.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fallback path reads API credentials from a global OpenClaw config file, which broadens the trust boundary and can cause this skill to use credentials not explicitly provisioned for it. In this skill’s context, that creates cross-skill credential confusion and unauthorized access risk if another skill’s key is reused or exposed through shared configuration.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code claims to load this skill’s AK but actually fetches credentials from the "1688-shopkeeper" entry, which is a concrete cross-skill secret mix-up rather than a documentation-only issue. This can cause the supplier-query skill to authenticate as another skill, enabling unintended access and making incident attribution and permission boundaries unreliable.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This command adds credential-management behavior to a skill whose declared purpose is supplier/factory information lookup, creating a hidden expansion of privilege and data sensitivity. Even if intended for legitimate API access, embedding AK configuration in this skill can mislead users into supplying secrets to a capability they would not expect to handle credentials, increasing the risk of secret capture, misuse, or inappropriate persistence.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
A supplier-query skill should not itself perform credential storage unless that capability is explicitly justified and documented. This mismatch between advertised functionality and actual behavior is dangerous because it normalizes secret entry in an unrelated workflow, making phishing-style credential collection or accidental oversharing more plausible in the agent context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest describes a supplier-search skill, but this file configures credentials for a different skill name, 1688-shopkeeper. That mismatch is a strong indicator of scope drift or hidden cross-skill behavior, which can cause this skill to alter another component's configuration and handle secrets unrelated to its declared purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This file persists and retrieves API credentials from environment variables, disk, and a gateway despite the advertised functionality being supplier lookup. Managing persistent secrets outside the stated purpose expands the skill's authority and attack surface, making covert credential collection or unintended configuration tampering more plausible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to enter an Access Key via the CLI but gives no warning about how the key is stored, whether it is persisted securely, or whether passing it as a command-line argument may expose it in shell history or process listings. In a skill that explicitly performs automatic AK management and authentication, this omission is security-relevant because it can lead users to disclose long-lived credentials unintentionally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documentation tells the agent to send supplier-name or keyword queries to an external 1688 API, but it does not clearly warn that user input will leave the system or that a configured AK credential is required. This can cause users or downstream operators to disclose sensitive business queries unintentionally and may lead to confusing credential prompts or unsafe credential-handling behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs the agent to solicit an Access Key from the user, extract it from chat content, and pass it directly on the command line. This exposes a sensitive credential to chat transcripts, agent logs, shell history, process listings, and other observability surfaces without any warning, masking, or safer secret-handling path. In this skill context, the risk is real because AK collection is a core workflow, so the unsafe handling pattern is likely to occur routinely rather than as an edge case.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code validates and writes an AK, but does not present an explicit warning that the provided value is sensitive, where it will be stored, or what systems may later access it. That omission can cause users to disclose secrets without informed consent and can lead to insecure handling expectations, especially in an agent skill that does not obviously appear to be an authentication tool.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code writes the API key into a persistent JSON configuration file without any indication in this file of user notice, consent, or storage protections. Persisting plaintext credentials on disk increases the chance of later disclosure through local compromise, backup leakage, or accidental file exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function transmits the API key to a gateway endpoint without any visible disclosure here, and the default endpoint uses HTTP rather than HTTPS. Sending secrets over an insecure or user-invisible channel can expose credentials to interception or unintended recipients, especially if the gateway URL is overridden.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase in this positive test case is broad, everyday language that can easily appear in normal conversation, which increases the chance the skill is invoked outside its intended scope. In an agent-routing context, ambiguous triggers can cause incorrect tool activation, unintended data retrieval, and interference with safer or more appropriate skills.

Vague Triggers

Medium
Confidence
80% confidence
Finding
This test case also uses a broadly phrased natural-language input as a positive trigger, which can blur the boundary between supplier sourcing and nearby intents. If the router learns or validates against ambiguous examples, the skill may over-trigger on ordinary user requests and route them to supplier-query tooling unnecessarily.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal