ClawHub

xc-xiaov

Security checks across malware telemetry and agentic risk

Overview

This Vipshop shopping assistant is not clearly malicious, but it asks agents to install a global CLI and start account login flows automatically with too little user control.

Review before installing. Use this only if you are comfortable with a globally installed `vipshop-cli`, Vipshop account login from the agent, saved session state, QR-code polling, and authenticated shopping API calls. Require explicit confirmation before any install, login, QR sharing, polling, token use, or logout action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill is declared as a product-search capability, but it instructs the agent to initiate and manage account login automatically, including QR login and post-login continuation. That expands the trust boundary from low-risk search into authenticated account actions without a separate explicit user consent step, increasing the chance of unintended credentialed operations and cross-skill privilege escalation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The README extends the search skill into invoking product-detail retrieval through another skill or command, which exceeds its declared purpose and creates hidden cross-skill behavior. This kind of scope expansion makes it easier for a loosely triggered skill to chain into additional actions the user did not explicitly request under a narrower permission model.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to globally install and execute `vipshop-cli` on the host, which expands its behavior from a narrow promotion-query helper into host-level software modification and arbitrary CLI execution. This increases supply-chain and system-integrity risk because a shopping query should not require unattended global package installation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill requires the agent to automatically initiate login, poll for authentication state, and continue using the authenticated session without an explicit user action at the time of login. That is an account-authentication capability beyond the stated purpose of promotion lookup and can lead to unauthorized account access flows, privacy exposure, and overbroad agent autonomy.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description says it should activate when users mention broad topics like shopping, styling advice, fashion trends, or product search. These triggers overlap heavily with ordinary conversation, increasing the chance the agent invokes commerce-related actions in contexts where the user did not explicitly intend to use this skill. In a skill that can initiate authentication and downstream actions, overly broad activation meaningfully raises the risk of unintended account-flow initiation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Example phrases such as '想买东西', '怎么穿搭', and '最近流行什么' are vague, common expressions that can arise in normal conversation without intent to access a shopping platform. Because the skill is designed to proactively call search and promotion interfaces from such phrases, it can convert casual dialogue into tool execution and potentially lead users into login or commercial workflows unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that all subskills can automatically trigger the `vipshop login` flow and use a blocking wait until login completes, without requiring a fresh user request at that moment. Automatically initiating an authentication flow is dangerous because it can surprise users, create consent ambiguity, and push them into granting account access while they believe they are only asking for informational assistance. The context makes this more serious because the parent skill also has broad triggers, making accidental auth initiation more plausible.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs the assistant to proactively poll every 3 seconds up to 10 times during login, but does not describe a clear user-facing warning or consent step for this persistent background checking. Even though the polling window is bounded, hidden or unexpected repeated status checks during authentication can be invasive, confusing, and may normalize background monitoring without transparency.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to automatically trigger login, read login state, and use access tokens/cookies, but it does not clearly warn users about the privacy and account-security implications of doing so. In an agent setting, silent or automatic account-authenticated actions can surprise users, expose session-linked data, and normalize handling of sensitive credentials without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs the agent to expose login QR artifacts to the user without any warning, verification, or scope limitation. Login QR codes and related artifacts are authentication material; surfacing both the online link and local image path increases the chance of session hijacking, phishing-style relay, or disclosure of local filesystem information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Triggers like '下一页', '上一页', bare price ranges, and '第X个' are highly ambiguous and can occur in ordinary conversation unrelated to this skill. Such broad follow-up activation criteria can cause the agent to invoke the skill unexpectedly, potentially acting on stale authenticated context or prior search state without clear user intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Allowing activation from arbitrary product keywords alone makes the skill overlap with normal conversation and creates a large accidental-trigger surface. In this skill's context, broad activation is more dangerous because the skill can subsequently drive authenticated flows and additional commands, not just return passive information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to automatically start login and continue searching without obtaining explicit confirmation for an account-authenticated action. This is dangerous because it normalizes silent progression into a privileged session flow, where ambiguous user input could lead to account-linked operations the user did not knowingly approve.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to initiate a login flow automatically whenever it detects the user is not authenticated, without first obtaining explicit consent. This can trigger unintended authentication actions, surprise the user, and cause the agent to expose login artifacts or interact with account state in ways the user did not clearly authorize.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires the agent to return both the QR login URL and the local filesystem path of the generated QR image to the user, with no privacy or safety guardrails. Exposing local paths leaks host environment details unnecessarily, and sharing authentication artifacts too broadly can increase the chance of credential interception, phishing-style misuse, or operational information disclosure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The detail-query triggers include very broad patterns such as '第X个' and '详情X', which can overlap with normal conversational references and cause the skill to execute product-detail actions unexpectedly. In a shopping assistant context this is less severe than code execution, but it can still produce unintended account-linked queries, context confusion, and accidental disclosure of prior search-derived results.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill mandates automatic login and sharing QR login artifacts without clear privacy warnings, consent boundaries, or explanation of account impact. In context, this is dangerous because the skill is nominally for promotion lookup, yet it performs sensitive authentication actions and exposes authentication-related artifacts to the user workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to return both the QR link and the corresponding local image file path/file to the user. Exposing local filesystem artifacts can leak host environment details such as directory structure, usernames, temp locations, or other sensitive metadata, and sending a local file directly may unintentionally disclose more than the intended QR content. In this context, only the QR content needs to be shown to the user; revealing the local storage path is unnecessary and increases attack surface.

Ssd 3

High
Confidence
99% confidence
Finding
This is a real security issue because the skill explicitly instructs the AI to return a QR-code online link and the generated local image path during automatic login. Those artifacts can function as bearer-style authentication entry points or leak implementation details about the host environment, enabling account takeover, unauthorized login completion, or local path disclosure in a shopping assistant context where user accounts and purchase data are sensitive.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to return both the QR login link and the local QR image path obtained from the CLI. Exposing authentication artifacts and local filesystem paths is unnecessary for a promotion-search capability and can leak sensitive operational details or facilitate misuse of the login flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal