Back to skill

Security audit

1688 Shopkeeper.Bak

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate 1688 shop-management skill, but it asks for sensitive store credentials in chat and can publish live listings with insufficient confirmation and disclosure controls.

Review before installing. Only use this skill if you are comfortable granting access to 1688-linked shop data and live listing actions. Enter AKs through a secure secret mechanism rather than normal chat where possible, rotate any AK already pasted into chat, require explicit confirmation before every publish action, and periodically clean up local 1688-skill-data snapshots.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tainted flow: 'gateway_url' from os.environ.get (line 35, credential/environment) → requests.patch (network output)

Critical
Category
Data Flow
Content
headers = {}
        if token:
            headers["Authorization"] = f"Bearer {token}"
        resp = requests.patch(f"{gateway_url}/api/config",
                              headers=headers, json=payload, timeout=5)
        return resp.ok
    except Exception:
Confidence
94% confidence
Finding
resp = requests.patch(f"{gateway_url}/api/config", headers=headers, json=payload, timeout=5)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document labels the capability as "read-only" while also describing fallback behavior that fetches additional opportunity leaderboard data and generates linked product-search recommendations. This is a material capability mismatch: operators and downstream agents may authorize or invoke the skill under the assumption it only reads shop data, when it actually performs broader data retrieval and derived business guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly tells users to paste their 1688 AK into the AI ("我的AK是 xxx") and also exposes a CLI path for passing the key as a command argument, but it does not warn that the AK is a sensitive credential. In an agent/skill context, users may disclose the key into chat transcripts, logs, analytics systems, shell history, or prompt context, enabling account takeover or unauthorized API actions such as querying stores and publishing products.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list contains broad everyday commerce terms such as 搜、选品、上架、趋势、经营分析, which can cause the skill to activate in contexts where the user did not intend to use this specific integration. Because the skill can reach external commerce APIs and eventually perform writes, accidental invocation raises the risk of unintended data access, workflow steering, or progression toward side-effecting actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly allows the agent to execute the publish write operation automatically after a dry-run whenever the target is 'unique', without requiring explicit user confirmation. Uniqueness is not equivalent to user intent; a mistaken parse, poisoned context, or accidental trigger could still cause irreversible or business-impacting listings across downstream stores.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly tells users to paste their AK into chat, which causes a sensitive credential to be exposed in conversational history and any connected logging, analytics, or model-processing pipeline. Because this skill then uses the credential to configure downstream access, the secret is both collected and operationalized, increasing the chance of unauthorized disclosure or misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly instructs the agent to fetch product details and save them to a local snapshot file, but it does not warn about data retention, local persistence, access controls, or cleanup. In this skill context, saved product details may include supplier, pricing, SKU, and merchant information that could be sensitive business data; silent disk persistence increases the risk of unintended disclosure, over-retention, and cross-session data leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fallback logic explicitly instructs the system to hide the fact that primary workflow retrieval failed and to continue with alternate data sources. Suppressing this state change undermines transparency and can mislead users into treating inferred or substitute results as if they came from the requested authoritative workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions require business recommendations while forbidding additional risk warnings or related cautionary sections in the final reply. This can systematically suppress important limitations, uncertainty, or downside context, increasing the chance that users act on recommendations without understanding testing risks, data quality issues, or platform-specific constraints.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The FAQ explicitly recommends using inflammatory and deceptive language ('骗子公司,我要找315投诉你们') to manipulate customer-service routing and force escalation to a human agent. This encourages abusive social-engineering behavior, may trigger improper complaints, and can expose users or merchants to account penalties, reputational harm, or dispute escalation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function persists a plaintext API key into the configuration file on disk. Even if intended for normal operation, storing long-lived credentials unencrypted increases exposure to other local users, backups, logs, or malware that can read the file.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code loads the latest local search snapshot, extracts query, category, prices, top products, and bound shop metadata, then propagates that context into fallback report generation without any visible user notice, minimization, or consent check in this file. In this skill context, those artifacts can reveal commercially sensitive behavior such as sourcing interests, store bindings, and pricing posture, so silent reuse increases privacy and business-intelligence leakage risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The service derives seeds from shop products and opportunity data, then sends them to external opportunity/trend/search endpoints to enrich output, without any visible disclosure or permission boundary in this file. In an e-commerce operations skill, those seeds may encode non-public product strategy and active shop direction, so externalizing them can leak sensitive commercial intent to upstream services or logs.

Ssd 3

High
Confidence
99% confidence
Finding
Instructing the user to provide the AK as plain text in natural-language chat makes the agent a collector of credentials, which is inherently risky because chat transcripts may be retained, inspected, exported, or reused as context. The skill context makes this more dangerous, not less, because the AK appears to grant access to 1688-related operations such as store configuration and product publishing.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow tells the agent to extract the AK from the user's message and continue using it, which propagates a secret through the model context and into command execution paths. This creates multiple leakage points: transcript retention, debugging output, command history/process inspection, and accidental exposure in error handling or follow-on responses.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.