ClawHub

物流延迟检测 & 安抚短信

Security checks across malware telemetry and agentic risk

Overview

The skill matches its logistics/SMS purpose, but it handles customer data and SMS credentials with too few safety guardrails.

Review before installing. Use dry-run first, confirm recipients and message content before using --send, preinstall/pin dependencies instead of allowing runtime pip installation, keep SMS/API keys in environment variables or a secret manager, and treat generated JSON/HTML reports as sensitive because they contain customer phone and order data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import requests
except ImportError:
    print("[SETUP] 安装依赖: pip install requests")
    os.system(f"{sys.executable} -m pip install requests -i https://pypi.tuna.tsinghua.edu.cn/simple/ --trusted-host pypi.tuna.tsinghua.edu.cn")
    import requests

# ============ 配置 ============
Confidence
95% confidence
Finding
os.system(f"{sys.executable} -m pip install requests -i https://pypi.tuna.tsinghua.edu.cn/simple/ --trusted-host pypi.tuna.tsinghua.edu.cn")

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill auto-installs Python packages at runtime via shell command, which is not necessary for core logistics checking logic and expands the attack surface. This can execute unreviewed third-party code during normal use and makes behavior environment-dependent and harder to audit.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module claims to be a logistics delay detection engine, but it also performs package installation and shell execution. This capability mismatch is risky because users reviewing the description may not expect code execution beyond network queries and file processing.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list contains broad phrases like '物流提醒', 'delivery notification', and '电商物流' that can match ordinary user requests and invoke a skill with network, file, shell, and outbound messaging capabilities. In this context, ambiguous activation is risky because the skill processes customer data and can progress toward sending SMS, increasing the chance of unintended data handling or message preparation.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill handles sensitive customer and order data, including names, phone numbers, tracking numbers, and order details, and sends them to external logistics and SMS providers without a clear privacy notice, consent model, retention policy, or minimization guidance. This creates significant privacy and compliance risk, especially because external transmission is central to the workflow and the data relates to identifiable customers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly shows a JSON configuration format containing cloud SMS credentials in plaintext (`access_key_id` and `access_key_secret`) without any warning that the file is sensitive, should be kept local only, or must never be committed to source control. In a real skill used by operators, examples like this commonly get copied into tracked config files, creating a practical secret-leak risk that can lead to abuse of the SMS account and related cloud resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Tencent Cloud SMS section demonstrates storing `secret_id` and `secret_key` in plaintext JSON, again without a warning about credential sensitivity or secure storage. Because this skill is designed for production messaging workflows, exposed SMS credentials could be abused to send unauthorized messages, incur charges, or support broader account compromise depending on cloud permissions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends tracking numbers and the last four digits of customer phone numbers to an external API, which is a real privacy and data-handling concern. In the logistics context this data flow is functionally related, but the code does not present an explicit consent notice, vendor disclosure, or minimization guidance before transmitting customer data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal