ClawHub

京东自营9.9包邮

Security checks across malware telemetry and agentic risk

Overview

The skill is a product-query helper, but its bundled backend code and product claims are broader than the user-facing description.

Install only if you are comfortable with the skill sending queries to the publisher’s cloud proxy and with recommendations that may include flagship-store items despite self-operated-only wording. The publisher should narrow the backend API, remove or rotate the embedded token, and align the product claims with the actual filters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata describes a narrowly scoped 9.9包邮 self-operated product query tool, but the code exposes additional generic affiliate proxy endpoints such as goods_query, material, category, activity, and promote. This expands the reachable functionality beyond the declared scope, which can mislead integrators and enable unintended data access or affiliate operations.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The implementation permits callers to query arbitrary eliteId channels and generic goods search results, including non-self-operated items, despite the skill description claiming only curated 京东自营 9.9包邮 goods. In a skill context, this mismatch is security-relevant because downstream agents or users may trust declared constraints that are not actually enforced.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The formatter derives `is_self` from `isJd == 1` or whether the shop name contains the string `自营`, but it does not enforce or verify that every returned item is truly JD self-operated. Because the tool’s summary text repeatedly tells users results are `京东自营商品`, any upstream proxy mistake, spoofed `shopName`, or policy drift could cause mislabeled third-party items to be presented as trusted self-operated goods.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The module comments say the SCF hard-filters `自营/旗舰店`, while user-facing copy later claims items are `京东自营商品`. This mismatch can mislead users into trusting the provenance and fulfillment model of recommended products, which matters in an e-commerce context where self-operated versus marketplace items have different trust, return, and service expectations.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill advertises itself as a narrow 9.9包邮商品查询工具, but the implementation exposes multiple broader JD affiliate proxy operations including goods search, material, activity, category, and promotion link conversion. This expands the tool's authority beyond user expectations and can be abused to access affiliate functionality not implied by the manifest.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code permits non-9.9 queries by accepting arbitrary request types and by allowing jingfen requests with eliteId values other than the dedicated 9.9 channel. This undermines the declared scope and lets callers use the service as a general JD affiliate proxy rather than a constrained recommendation tool.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest claims only 京东自营商品 are returned, but the hard filter explicitly also keeps 旗舰店 items. This is a scope-integrity problem: downstream agents or users may rely on stricter provenance guarantees than the code actually enforces, leading to deceptive or policy-violating recommendations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest says the skill is curated to 98%+ positive ratings, but the cache-layer hard filter only enforces 97%, with 98% applied later as a dynamic filter. This mismatch weakens the claimed quality guarantee and can allow lower-rated items into cached data or alternate paths, reducing trust in the tool's stated selection criteria.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Promotion link conversion enables generation of affiliate tracking links, which is materially broader than a read-only low-price product query tool. In a skill presented as a recommendation/search utility, this hidden capability increases abuse potential for unsolicited affiliate redirection or monetization workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
A hardcoded proxy token is embedded directly in source and sent on every outbound request. Anyone with code access can extract and reuse the credential to call the backend service, potentially leading to unauthorized use, abuse of the proxy, quota exhaustion, or access to cached data and service behavior not intended for the public.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal