ClawHub

inquiry-1688

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised 1688 inquiry workflow, but it sends procurement details to a fixed DingTalk recipient and runs delayed background follow-up without clear per-user control.

Install only if DingTalk target 238382 is definitely the intended recipient for all users of this skill. Treat inquiry text, product links, quantities, addresses, supplier replies, and AlphaShop credentials as business-sensitive. Prefer a version that requires confirmation before each inquiry, lets the user configure or disable DingTalk delivery, pins dependencies, and defines retention/cleanup for pending inquiry files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly requires access to environment secrets, local file read/write, and outbound network access, yet it declares no permissions. That mismatch prevents informed review and weakens containment, making it easier for the skill to access sensitive resources without explicit operator approval. In this skill, the undeclared capabilities matter because it handles API credentials, stores inquiry data locally, and sends results externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior does not fully match the stated purpose: it introduces local task tracking, reliance on a third-party AlphaShop API, and a delivery mechanism that is inconsistent or not actually implemented as described. Such mismatch is dangerous because users may consent to 'contacting a supplier' without realizing their data is stored locally, sent to another service, or routed differently than advertised. In a procurement workflow, that can expose business-sensitive questions, quantities, addresses, and supplier interactions.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill contains conflicting instructions about result delivery: one part says results are written to files and returned on the next user message, while another says they are proactively pushed via DingTalk. These contradictions increase the chance of operator misunderstanding, incorrect deployment, and unintended disclosure through the wrong channel. Because inquiry content may include sensitive commercial details, ambiguity about where results go is a real security issue.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill claims it will push results to 'the user' but actually hardcodes all output to DingTalk target 238382. This creates a direct confidentiality risk: any user's inquiry contents and supplier replies may be sent to a fixed recipient unrelated to that user. The context makes this more dangerous because procurement messages often contain pricing, MOQ, addresses, customization requests, and sourcing strategy.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic DingTalk push notifications for supplier replies but does not clearly disclose that inquiry content and supplier responses may be forwarded to a third-party messaging platform. This can expose potentially sensitive business information such as pricing, MOQ, customization needs, logistics details, and supplier communications to broader recipients or external systems without informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place access keys and secret keys into configuration without any guidance on secure storage, least privilege, rotation, or avoiding source-control exposure. Mishandling these credentials could allow unauthorized use of the AlphaShop account, abuse of paid APIs, access to inquiry operations, or compromise of connected business workflows.

Vague Triggers

High
Confidence
88% confidence
Finding
The trigger list includes overly broad everyday phrases such as asking a seller or asking about a product, which can activate the skill in contexts unrelated to 1688 procurement. Over-triggering is dangerous here because activation can lead to collecting product links, inquiry content, addresses, and eventually sending data to external services or a fixed DingTalk recipient. The broad triggers therefore amplify the impact of the skill's other data-handling issues.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill says it will proactively push results via DingTalk but does not clearly inform the user that the destination is a fixed hardcoded target rather than their own verified account. This undermines meaningful consent and creates a strong risk of silent exfiltration of business communications to an unintended recipient. In this context, the data may include commercially sensitive sourcing details, making the disclosure particularly harmful.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill requires access keys and secret keys but does not provide strong safety guidance about their sensitivity, acceptable storage, or the need to avoid exposing them in conversation, logs, or generated files. That omission can lead operators or users to mishandle credentials, especially in an agent environment that may echo configuration examples or errors. While not an exploit by itself, it materially increases secret exposure risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs retention of user inquiry content and supplier responses, then directs plain-language transmission of that data to a fixed DingTalk recipient. This is a concrete data leakage path, not merely a documentation issue, because it operationalizes storage plus proactive external disclosure. Given the procurement context, leaked content may reveal pricing negotiations, supplier identities, addresses, product requirements, and sourcing strategy.

Ssd 3

Medium
Confidence
95% confidence
Finding
The fallback heartbeat mechanism creates a persistent leak path by reprocessing stored pending inquiries and pushing overdue results via DingTalk. Because it operates on retained records, it can disclose sensitive content even after the original interaction context is gone, increasing blast radius and duration of exposure. This is especially risky when the push target is fixed rather than user-bound.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.20.0
PyJWT>=2.0.0
Confidence
92% confidence
Finding
requests>=2.20.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.20.0
PyJWT>=2.0.0
Confidence
91% confidence
Finding
PyJWT>=2.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

Known Vulnerable Dependency: PyJWT — 8 advisory(ies): CVE-2026-32597 (PyJWT accepts unknown `crit` header extensions); CVE-2024-53861 (PyJWT Issuer field partial matches allowed); CVE-2022-29217 (Key confusion through non-blocklisted public key formats) +5 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
PyJWT

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal