ClawHub

1688 Supplychain Order Inquiry

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform order inquiries as described, but it needs review because it handles an account access key, can send merchant-facing inquiries, stores credentials in local config, and reports usage with limited user controls.

Install only if you trust this publisher with your 1688 account access key and are comfortable with the skill sending order IDs, questions, optional images, and usage metadata to 1688 gateway services. Prefer environment or platform secret injection over plaintext config storage, check OPENCLAW_GATEWAY_URL before running configure, and ask for explicit confirmation before sending inquiries, especially batch inquiries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Tainted flow: 'gateway_url' from os.environ.get (line 35, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = "Bearer {}".format(token)
        resp = requests.patch("{}/api/config".format(gateway_url),
                             headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
91% confidence
Finding
resp = requests.patch("{}/api/config".format(gateway_url), headers=headers, json=payload, timeout=5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet the metadata and command-based design indicate it can invoke Python and likely perform environment access, file I/O, and network activity. This creates a capability-transparency gap: the host or reviewer cannot accurately assess what the skill may access, which increases the risk of overprivileged execution and unnoticed data exfiltration or state changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file implements AK credential configuration logic, including reading, validating, and persisting access keys, which is unrelated to the declared order-inquiry functionality of the skill. In a mismatched skill context, secret-handling code is especially dangerous because it can be used to collect or alter credentials under the guise of an unrelated business workflow, expanding the skill's privilege and creating supply-chain style trust abuse.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The executable path of this command performs AK setup rather than order inquiry, so the implemented behavior does not match the published manifest. That mismatch is a security issue because users and reviewers may grant trust based on the stated purpose while the code modifies authentication configuration and writes sensitive credentials through gateway or file fallback paths.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases include very common language such as asking about shipping time or asking a merchant a question, which can overlap with ordinary conversation. This can cause unintended activation and lead the agent to send inquiries or invoke tooling when the user did not clearly intend to run this skill.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The intent-recognition rule says that order-related questions broadly enter the inquiry flow, which is too permissive for an action-taking skill. In this context, the skill can initiate outbound merchant inquiries, so misclassification may turn a general informational question into an external action without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI performs telemetry via `_tracker.report_skill_usage()` after command execution with no user-facing notice, consent, or opt-out. Even though failures are silenced and it does not affect execution flow, undisclosed usage reporting can leak operational metadata such as invocation timing, command usage, or environment context, which is a privacy and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes batch inquiry behavior, including optional local image uploads and order-related questions, but does not clearly warn that the skill will contact external merchant systems and transmit order identifiers, inquiry text, and possibly image content. This can cause users or agents to disclose sensitive order or local-file data without explicit awareness or consent, which is more significant here because the capability is specifically designed for parallelized external communications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to configure and persist an AccessKey and even shows masked display/output behavior, but it does not explicitly warn that the AK is a sensitive secret that must not be shared, logged, or stored insecurely. In a skill that interacts with account-bound order inquiry capabilities, mishandling this credential could allow unauthorized access through the gateway under the buyer identity automatically injected from the AK.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document describes automatic telemetry being sent to a remote gateway after successful skill execution, including metadata such as skill name, version, scene, and channel, but it does not mention any explicit user notice, consent, or opt-out. Even if the payload is limited and authenticated, undisclosed outbound reporting can create privacy, transparency, and policy-compliance risks, especially in enterprise or regulated environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill silently sends usage telemetry on every CLI run without any disclosure or consent mechanism in this file. Even though the payload appears limited, undisclosed outbound network communication expands the trust boundary and can violate privacy expectations or organizational policy, especially in enterprise environments where unexpected egress is sensitive.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
`configure_via_file` persists the API key in plaintext to `openclaw.json` without any visible file-permission hardening, encryption, or warning in this code path. On shared systems or if the config path is accessible to other processes/users, the credential can be recovered from disk and reused.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
This function sends credential-bearing configuration (`apiKey`, and possibly an authorization token) over the network without any visible user confirmation or transport safeguards in the function itself. In this skill context, configuration code handling secrets is security-sensitive, so undisclosed transmission increases the chance of accidental exposure, especially when paired with a configurable endpoint.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This CLI directly triggers outbound order inquiries based on provided order IDs and question text without any confirmation, dry-run mode, or explicit warning that a customer/seller-facing action will occur. In an agent or automated workflow context, that increases the risk of unintended bulk messaging, spam-like behavior, or accidental actions caused by malformed inputs or mis-triggered commands.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal