Back to skill

Security audit

1688 Distribution Knowledge Newton

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to query a 1688 knowledge base, but its setup flow asks users to paste a sensitive AK credential into chat and persists/transmits it with limited safety disclosure.

Install only if you are comfortable giving this skill access to your 1688 AK. Prefer a platform-managed secret entry method instead of pasting the AK into chat, verify OPENCLAW_GATEWAY_URL is trusted before configuration, and rotate the AK if it was exposed in a conversation or stored somewhere you do not control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tainted flow: 'gateway_url' from os.environ.get (line 33, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        resp = requests.patch(f"{gateway_url}/api/config",
                              headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
94% confidence
Finding
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements a credential-configuration CLI for an AK secret, which is materially outside the declared purpose of a knowledge-base query skill. Scope mismatch is dangerous because it enables secret handling and persistence in a package that users and reviewers would reasonably expect to be read-only/document-query oriented, increasing the chance of hidden credential collection or misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code checks for existing AKs, validates user-supplied AKs, and writes them via a gateway or file fallback, giving the skill credential-management capabilities unrelated to querying 1688 distribution documents. In the context of a knowledge skill, this is especially risky because it expands the attack surface to secret discovery and persistence, and could be abused to capture, overwrite, or redirect credentials without a clear business need.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill is described as a knowledge-base query tool, but this file implements API-key validation, persistence, and gateway configuration logic. That is a clear scope mismatch: a content-query skill should not silently manage secrets and mutate system configuration, because it increases the attack surface and enables behavior users would not reasonably expect from the manifest.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file writes to the OpenClaw gateway and local config files even though the skill metadata says it only queries 1688 distribution documentation. Hidden write capabilities are dangerous because they allow persistence and environmental modification outside the expected function of the skill, making unauthorized secret storage or future misuse more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to collect and configure an Access Key but provides no warning that the AK is a sensitive credential or guidance on secure handling. This increases the likelihood that users disclose secrets casually and that the credential is processed or stored in ways they do not understand.

Missing User Warnings

High
Confidence
98% confidence
Finding
The user is told to send their AK directly in chat text ('我的AK是 xxxxxx'), which exposes a live credential through conversational channels that may be logged, retained, inspected, or replayed. Because the AK is bound to user identity, compromise could enable unauthorized access to the user's 1688-related resources or actions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code persists the API key directly into the OpenClaw config file without any visible warning, confirmation, or indication of storage protections in this file. Storing secrets on disk can expose them to other local users, backups, logs, or later compromise if file permissions are weak or the config path is broadly accessible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends the API key to a gateway endpoint with no visible user-facing disclosure in this file, and the default URL uses plain HTTP to localhost. Secret transmission without explicit notice is risky on its own, and using unauthenticated plaintext transport creates additional opportunities for interception or redirection if the environment or local network path is compromised.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly directs the agent to solicit the user's AK, extract it from the chat message, and immediately use it to configure the environment. This is dangerous because it operationalizes secret harvesting from unstructured conversation and turns the chat channel into a credential collection path, increasing the chance of leakage, misuse, and persistent compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.