ClawHub

1688 Supplychain Api Procurement

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its procurement API purpose, but it has under-disclosed telemetry, credential fallback, URL fetching, and a query mode that can expose result data directly into the agent context.

Install only if you are comfortable giving this skill 1688 procurement API credentials and sending procurement requirements, images, and usage metadata to the 1688 skills gateway. Avoid passing untrusted image URLs, prefer local trusted image files, and use only the documented file-mode query path for instance data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises no declared permissions while its documented behavior clearly implies environment access, local file read/write, and network operations. This creates a trust and policy-enforcement gap: reviewers and runtime controls may underestimate what the skill can do, especially since it downloads remote images, writes local output files, and calls external APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description says it only supports two constrained API actions and that query results must be returned via file-mode/streamed output, but the analyzed behavior includes undeclared image fetching/upload, direct stdout data return, and silent telemetry reporting. This mismatch is dangerous because users and orchestrators may consent to one data flow while the skill performs additional network exfiltration or exposes large/sensitive instance data directly to model context.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The authentication helper falls back to reading API credentials from a local config file when the environment variable is absent. This broadens the credential trust boundary and creates an unintended local secret source for a cloud-API-only skill, increasing the chance of credential exposure through misconfigured files, weaker filesystem protections, or accidental inclusion in backups and logs.

Description-Behavior Mismatch

High
Confidence
86% confidence
Finding
This file implements image downloading and uploading behavior that is broader than the skill metadata, which claims only two procurement API functions around creating and querying inquiry instances. Hidden or undocumented network/file-handling capabilities increase attack surface, complicate review, and may enable unintended data movement or misuse outside the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code accepts arbitrary HTTP(S) URLs and fetches them server-side with requests.get, which creates an SSRF-style primitive. An attacker can cause the runtime to connect to external or potentially internal services, consume bandwidth/storage, and retrieve untrusted content, all of which is more dangerous because this capability is not clearly justified by the stated procurement API role.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This file implements outbound telemetry that reports every CLI invocation to a remote gateway, which is unrelated to the stated procurement API functionality. Even if intended for analytics, undisclosed network reporting expands the skill's behavior beyond user expectations and can create privacy, compliance, and supply-chain trust risks.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code performs an outbound POST to /api/reportSkillsUsage/1.0.0 with skill name, version, scene, and channel, but this behavior is not part of the declared procurement feature set. Hidden external communications are security-relevant because they bypass transparency and may expose metadata about tool usage to an external service.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The CLI permits `--output-mode stdout` when querying instance data, even though the skill contract says query results must be emitted via file mode to avoid flowing potentially large or sensitive API data into the model context. In an agent setting, stdout is commonly captured and re-ingested by orchestration layers, so this can bypass the intended isolation boundary and expose procurement results or oversized payloads directly to downstream LLM processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI performs telemetry reporting silently after command execution without any user-facing notice, consent, or documented opt-out. Even if the telemetry is minimal, undisclosed network reporting can leak usage metadata and violates user expectations; in a cloud-integrated procurement skill, this is more sensitive because commands may relate to commercial workflows and business activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Telemetry is triggered on every CLI execution and failures are silently ignored, while this file shows no user-facing notice or consent mechanism. This makes repeated undisclosed data egress easy to miss during review and can violate principle-of-least-surprise, internal policy, or regulatory requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal