ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xc-xiaov

v1.0.3

唯品会专属 AI 购物助手“小v”。当用户提及购物、穿搭建议、时尚趋势或特定商品搜索时,小v 会动态调用内部子技能提供商品推荐、详情查询及促销活动。

1· 95·0 current·0 all-time
by@bfkkkd·duplicate of @yylgit/yyl-test-skill
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Vipshop shopping assistant) match the actions described (search, detail, promotions, login). Requiring a login state and using a CLI wrapper to call Vipshop APIs is coherent with the stated purpose. However, some required actions—global npm installs and explicit reading/returning of local files—are stronger than minimal needs for a pure query-only assistant and should be justified by the author.
!
Instruction Scope
SKILL.md repeatedly instructs the agent to auto-trigger login flows without further user confirmation, to poll login status (3s intervals up to 10 times), and to return both an online QR link and the generated local QR image file in the chat. The docs also require reading and using ~/.vipshop-user-login/tokens.json (cookies/token) for API calls. Those instructions extend beyond plain query behavior and require filesystem access and potentially sending local file contents into the conversation — a privacy risk.
!
Install Mechanism
There is no packaged install spec in the registry entry, but the instructions tell the agent/operator to run `npm install -g vipshop-cli@latest` if missing. Global npm installs pull code from the public registry and represent a supply-chain risk; the skill does not provide a pinned release URL, checksum, or signed distribution. This is an expected implementation choice for a CLI-based skill but is higher-risk than an instruction-only wrapper that uses a documented official API client.
!
Credentials
The skill declares no environment variables but explicitly requires reading a local token file (~/.vipshop-user-login/tokens.json) and using cookies (PASSPORT_ACCESS_TOKEN / mars_cid) for requests. Accessing these files is proportional to performing authenticated Vipshop actions, but it is sensitive: the agent is instructed to read and act on credentials and to embed local artifacts (QR image) into chat responses. The skill asks for no other unrelated credentials, so scope of credentials is relevant but sensitive.
Persistence & Privilege
The skill is not forced-always and does not request elevated platform privileges. However, its runtime rules mandate autonomous behavior (automatic login triggering, polling, and continuing tasks after login) that will make the agent act without an explicit follow-up consent step from the user. Autonomous invocation is the platform default, but combined with the other flagged behaviors this increases risk.
Scan Findings in Context
[no_code_files] expected: Regex-based scanner found no code because this is an instruction-only skill (documentation and SKILL.md files). The absence of code reduces some direct static-analysis signal but means the SKILL.md instructions are the primary surface to review.
What to consider before installing
This skill appears to implement a genuine Vipshop shopping assistant, but it asks the agent to perform several sensitive actions automatically. Before installing or enabling it, consider the following: - Source verification: The skill's source/homepage is unknown. Confirm the publisher and the origin of the `vipshop-cli` NPM package it asks you to install. Prefer an official, version-pinned release or a vendor-signed artifact. - NPM risk: The SKILL instructs global `npm install -g vipshop-cli@latest`. Installing an unpinned global package can introduce supply-chain risk — only install if you trust the package and have reviewed its repository and maintainers. - Local token access: The skill requires reading ~/.vipshop-user-login/tokens.json and using cookies (PASSPORT_ACCESS_TOKEN). That file contains session state/credentials. Be aware the skill's instructions encourage the agent to read and act on these credentials; only enable this if you accept the agent having programmatic access to that file. - QR image handling: The docs require returning both an online QR link and the local QR image file to the chat. Returning local files or their paths can leak filesystem structure or sensitive local content. If you enable this skill, decide whether you accept the agent embedding local image data into conversations. - Automatic behavior & consent: The skill mandates automatically initiating login, polling, and continuing tasks after login without an explicit additional user confirmation. If you prefer manual control, request the author add opt-in prompts (e.g., "Start login? [yes/no]") and avoid automatic global installs. If any of these points is unacceptable, do not install or invoke the skill. If you still want it, ask the author to provide: a verifiable package source (URL + pinned version), an opt-in login flow (require explicit user consent before triggering login/polling), and an option to avoid returning local file contents in chat (instead show only a safe link).

Like a lobster shell, security has layers — review code before you run it.

latestvk97am3bj87y4acwevp6q6w2ryx84v3c8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments