ClawHub

virtual-item-constructor

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent about building test products, but it exposes broad internal tools that can change marketplace item state and send user/system context to Alibaba services without strong scoping or confirmation.

Install only if you trust the publisher and intend to let this skill call internal Alibaba services to find, clone, reprice, tag/untag, and potentially change listing status for product records. Before use, confirm that backend authorization limits mutations to test items/accounts, require explicit confirmation for every clone/price/tag/status change, and consider removing the category/SPU helper if only virtual test-item construction is needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill invokes external tools and a knowledge-base search utility, which implies networked and data-access capabilities, yet no explicit permission model or scope constraints are declared in the skill document. This is dangerous because reviewers and orchestrators cannot easily verify what data sources may be accessed or what boundaries apply, increasing the risk of unintended data exposure or overbroad tool use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose says the skill is for compliant test-item construction, but the documented behavior includes broader operational abilities such as item inspection, SKU retrieval, test-item verification, listing status changes, knowledge-base access, and use of an auxiliary assistant. This mismatch is dangerous because it obscures the real attack surface and can lead users or policy engines to authorize a skill that can perform more actions than its description suggests.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill exposes a category/SPU data construction assistant that is outside the stated virtual test-item construction workflow. Unrelated embedded functionality increases the attack surface and creates a path for unintended data access or action routing through tooling that operators may not expect to be available in this skill.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill claims to focus on test-item construction, but it also documents item listing/unlisting operations, which are separate state-changing marketplace actions. This is dangerous because status changes can affect item visibility and business operations, and users may invoke the skill without realizing it has publication-control capabilities.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The wrapper is wired to invoke a remote tool named "IC-商品打标&去标" (item tagging/untagging), which does not match the skill’s declared purpose of virtual item construction/search/clone/price adjustment. This capability mismatch is security-relevant because users and downstream policy may authorize the skill based on the manifest description, while the actual code can perform different inventory-label operations on remote systems, creating a confused-deputy/overprivileged action risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation performs a POST to a knowledge-search endpoint instead of carrying out the manifest-declared operations for constructing or modifying virtual test items. This capability mismatch is dangerous because users and orchestrators may grant the skill permissions or trust appropriate for item-management workflows while the code actually exfiltrates user input to an unrelated backend, creating deceptive behavior and possible data leakage.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file header and function documentation explicitly describe a knowledge-base search tool, directly contradicting the advertised virtual-item constructor behavior. Such mislabeling increases the risk of deceptive deployment, misuse by downstream agents, and unsafe routing of sensitive business queries to the wrong service, especially in an environment where skills are selected based on manifest intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description includes broad natural-language examples like helping find or construct a test item, which may overlap with ordinary conversation and cause accidental invocation. In a skill that can clone items, modify prices, and remove tags, mis-triggering is risky because it can lead to unintended state-changing operations from ambiguous user phrasing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automates cloning, price changes, and tag removal, all of which modify item data, but the documentation does not prominently warn users about these risks or require confirmation. This is dangerous because users may unintentionally authorize destructive or compliance-impacting changes, especially where cloned items or removed tags affect downstream testing or marketplace controls.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description includes broad natural-language triggers such as "帮我找一个测试商品" and "构造一个XX类目的商品", plus multiple operational capabilities in one sentence. This can cause the skill to activate for ordinary user requests and perform sensitive item lookup, cloning, repricing, or label cleanup without sufficiently narrow scoping.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends caller-controlled params and systemParams to a remote Alibaba TBMCP endpoint, but provides no explicit notice, consent step, allowlist, or minimization of what leaves the local environment. In an agent-skill context, this can expose sensitive user, account, or internal workflow data to an external service unexpectedly, especially because systemParams may contain hidden contextual metadata.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal