ClawHub

alphashop-sel-product-search

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised AlphaShop product search, but it needs review because it uses API keys and external requests while its metadata and bundled image-search documentation do not consistently match that scope.

Review before installing. Use this only if AlphaShop is an approved provider for your product searches, configure the API keys under the correct skill slug, avoid putting secrets in command lines or shared files, and do not send confidential market research terms unless external transmission to AlphaShop is acceptable. Treat the bundled image-search and plain-HTTP reference docs as out of scope or unsafe until the publisher clarifies them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The manifest advertises no required permissions while the documented behavior clearly relies on environment secrets and external network access, and the analysis also detected file-write capability. This under-declaration weakens user trust boundaries because operators may approve the skill without realizing it can access credentials, send data off-box, or persist data locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description says it performs product search, but the observed behavior includes writing full API responses to disk, using JWT credentials, and interacting with a global1688-specific backend not clearly disclosed in the summary. Behavior-description mismatch is dangerous because users may expose sensitive query results or credentials to destinations and storage they did not knowingly approve.

Scope Creep

Medium
Confidence
95% confidence
Finding
The manifest says no environment variables are required, but the documentation instructs users to supply API access and secret keys. This inconsistency can cause insecure deployment patterns, failed runs, or ad hoc secret injection outside the normal secret-management path.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The FAQ instructs operators to whitelist unrelated methods ("keywordSearchApi" and "newProductReportExecuteApi") for a skill documented as only using "productSearchApi". This creates unnecessary privilege expansion: anyone following the docs may authorize extra callable methods, increasing attack surface and enabling unintended access if those methods are later exposed through the same environment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The document describes an image-based recall capability while the skill metadata claims keyword-based product search with filtering. This kind of capability mismatch is security-relevant because consumers, reviewers, and policy gates may approve a skill for one data flow and execution model while it actually implements another, enabling undeclared processing of user-supplied image URLs and image-derived embeddings.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The endpoint and request schema explicitly accept imageUrl, cropRegion, and image-search parameters rather than keyword query inputs promised by the manifest. In skill ecosystems, mismatched declared vs actual interfaces can hide unexpected collection and transmission of user-controlled remote resources, increasing the risk of policy bypass, unsafe integrations, and accidental overexposure of user data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The core logic performs image embedding generation and vector retrieval, which is materially different from keyword-based search. This changes the trust boundary and data handling model by sending user-provided image references to downstream services and processing image-derived features, making the undeclared behavior more dangerous in this skill context because users expect text search, not image analysis.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The plan to package this feature as a skill while describing a contradictory image-recall API indicates a deployment-ready mismatch, not just a draft inconsistency. If released, this can mislead operators and users about what data the skill accepts and where it is sent, increasing the chance of unauthorized capability expansion.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The referenced document describes an image-based product recall API, while the skill metadata says the skill is for keyword-based product search. This scope mismatch can cause the agent to collect and transmit different data than users or integrators expect, including image URLs and related identifiers, which is a significant integrity and privacy risk in a security-sensitive agent environment.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The example code and appendix reinforce use of an imageSearchApi and image-based request object, contradicting the declared keyword-search purpose of the skill. This increases the likelihood of accidental misuse, hidden capability expansion, or deployment of a skill that performs actions outside its approved scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to configure AlphaShop API credentials and use the skill against a remote AlphaShop REST API, but it does not clearly disclose that user search queries and authenticated requests will be sent to an external third-party service. This can lead to uninformed credential use and unintended transmission of potentially sensitive business research data, especially in enterprise environments where outbound data handling and third-party access require explicit notice.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation tells users how to place API keys in environment or config but gives no warning about keeping those secrets out of shared configs, repos, screenshots, or logs. In practice this increases the risk of credential leakage, especially because the examples are copy-paste friendly and aimed at operational setup.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation provides copy-paste examples that send request data to an internal endpoint over plain HTTP without warning users about network visibility, interception risk, or handling of potentially sensitive search parameters and identifiers. Even in a pre-production/internal setting, normalizing insecure transport in examples can lead to credential leakage, request tampering, and unsafe reuse in other environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Logging full user-supplied image URLs can capture sensitive query strings, signed links, internal object paths, or personal data embedded in URLs, without any documented disclosure or minimization. In this image-search context, URLs are primary user input and may point to private resources, so retaining them verbatim in logs creates unnecessary exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document states that image URLs and user IDs are used for retrieval and access control, but it does not clearly disclose that these values will be transmitted to backend services and downstream dependencies such as embedding and search systems. In an agent setting, insufficient disclosure of external data flows can undermine consent, privacy review, and safe handling of user-provided content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user-supplied search terms and userId to a third-party endpoint without any explicit consent prompt, privacy notice, or minimization of identifying data. In an agent-skill context, users may assume local processing, so silent external transmission increases privacy and compliance risk if queries or identifiers are sensitive.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes the full API response to an arbitrary user-specified file, which may persist potentially sensitive result data, request metadata, or business information on disk without warning. In shared or automated environments, this can lead to unintended disclosure through world-readable files, backups, or artifact collection.

Ssd 3

Medium
Confidence
97% confidence
Finding
Request logs include the raw imageUrl, which may expose sensitive user data to log stores, support personnel, or downstream observability systems. This is especially risky because image URLs are externally supplied and may include secrets or point to private content, so the skill context makes the issue more dangerous than ordinary request metadata logging.

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"认证方式: JWT Token")

        response = requests.post(
            endpoint,
            json=request_data,
            headers=headers,
Confidence
90% confidence
Finding
requests.post( endpoint, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal