ClawHub

xianyu-product-manager-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is for managing Xianyu listings, but it includes paths that can publish marketplace products, including batches, without an enforced approval step in this artifact.

Install only if you intend to let an agent prepare and potentially publish Xianyu marketplace listings. Review the separate xianyu-api-client-skill before trusting the confirmation model, use dry_run first, avoid the _unsafe methods unless you have a separate approval process and low-permission credentials, supply user_name explicitly, and verify all listing claims before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill markets itself around enforced confirmation and safe dry-run behavior, but the document explicitly exposes `_unsafe` methods that bypass confirmation and also describes batch creation and image-generation behavior beyond the headline safety claims. This mismatch can mislead operators, reviewers, or higher-level agents into granting trust they would not otherwise give, increasing the chance of unintended write actions on a marketplace account.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises enforced confirmation for product creation, but it exposes explicit unsafe paths that bypass confirmation entirely via create_product_unsafe() and create_batch_products_unsafe(). In an agent context, this is dangerous because any automation or prompt-induced call path can cause irreversible marketplace listings to be created without an interactive approval step, undermining the stated safety boundary.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation claims create_product() requires user confirmation by default, but the implementation immediately performs self.api_client.create_product(product_data) whenever dry_run is False, with no confirmation logic at all. This mismatch creates a false sense of safety and can lead operators or higher-level agents to perform real external side effects under the mistaken assumption that a confirmation barrier exists.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Unsafe Methods (Explicit Opt-In)

For controlled automation, separately named `_unsafe` methods are provided (`create_product_unsafe`, `create_batch_products_unsafe`). These skip confirmation and should only be used after dry-run review with dedicated low-permission credentials.

### Batch Size Limit (Code-Enforced)
Confidence
95% confidence
Finding
skip confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal