Security audit

openclaw-skill-customs

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed customs-document processor that sends user-selected trade documents to the DaoFei/Leap service; its main risks are sensitive document handling and optional task-management commands.

Install only if you are allowed to send the selected customs documents to the DaoFei/Leap platform. Configure LEAP_API_KEY through the platform environment settings, confirm the file list before upload, avoid list/cancel/retry except for your own tasks, approve any openpyxl installation deliberately, and delete local task folders when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill exercises sensitive capabilities including shell execution, filesystem read/write, environment access, and network communication to an external service, but does not declare permissions accordingly. This creates a transparency and governance gap: users or the hosting platform may not realize the skill can exfiltrate uploaded customs documents, access secrets such as API keys, or run arbitrary local commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The description presents the skill as a document-processing assistant, but the implementation also performs external authentication checks, remote task management, payload construction, and remote file download while relying on a third-party platform for core processing. This mismatch can mislead users about where data is processed and what operations occur, which is especially sensitive for customs documents that may contain confidential trade and personal information.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The workflow explicitly instructs the agent to run `pip install openpyxl`, which expands the agent's capabilities by permitting package installation during task execution. Allowing runtime dependency installation increases supply-chain and environment-manipulation risk, especially in a document-processing skill that should not need to modify the host environment to complete a user request.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script validates a LEAP_API_KEY by contacting platform.daofeiai.com, but the skill is described as a customs-document processing assistant and the relationship to this external service is not explained in the code. In a skill package, using environment credentials against an unrelated or insufficiently justified third-party service can cause credential disclosure to an unexpected backend and expands the trust boundary unnecessarily.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script exposes extra task-management modes (poll, list-tasks, cancel, retry) that go beyond the manifest’s stated customs document classification/extraction purpose. In an agent context, this expands the skill’s authority surface and could let prompts or workflows invoke backend operations unrelated to the user’s intended document processing.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The list-tasks mode allows enumeration of backend tasks, which is not necessary for customs document processing. If the API key has broad scope, this may expose metadata about other users’ or other workflows’ jobs, enabling information disclosure and reconnaissance.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The cancel mode permits deletion/cancellation of arbitrary tasks by result_id without any visible linkage to the current workflow. In an agent setting, this can be abused to disrupt processing for other jobs if IDs are guessed, leaked, or enumerated.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The retry mode enables re-execution of tasks outside the declared purpose of the skill. This can trigger unintended backend processing, consume quota, or rerun jobs on data the current user should not control if task identifiers are exposed.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger conditions are broad and keyword-based, so ordinary mentions of customs, invoices, packing lists, bills of lading, or HS codes may invoke the skill even when the user did not intend to upload sensitive files or send data to an external service. In this context, over-triggering is more dangerous because the skill handles regulated trade documents and initiates networked processing workflows.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow directs the agent to open and read raw uploaded files from the task directory to extract additional fields, but it does not require a clear user-facing consent step or warning that sensitive source documents will be re-accessed. In a customs-processing context, those files likely contain personal, financial, and trade data, so silent secondary access can exceed user expectations and increase privacy risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Cancellation and retry actions execute immediately from command-line arguments with no confirmation or warning. In agent-driven automation, a mistaken interpretation of user intent or prompt manipulation could cause destructive or costly actions without a safety checkpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.