ClawHub

xinyi-drink

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed beverage-service integration that uses a phone number for rewards and order lookup, with privacy caveats users should understand.

Install only if you are comfortable sending your own 新一咖啡 bound phone number to the configured Xinyi backend for reward and order features. Avoid using someone else’s number, do not override XINYI_API_BASE_URL unless you trust the server, and clear the local cache on shared machines with the documented clear-mobile command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger keywords include broad phrases like '下午茶', '困了', and '上班犯困', which are common conversational terms not uniquely tied to this brand or skill function. That can cause unintended invocation in unrelated chats, leading the skill to prompt for or reuse sensitive data such as a saved mobile number in contexts where the user did not actually intend to access this service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to collect, cache, and reuse users' phone numbers and activity status, but provides no user-facing notice, consent flow, retention limit, or privacy disclosure. Because phone numbers are personal data and are linked here to account/activity state, silent local caching increases privacy and misuse risk if the data is accessed, retained too long, or reused outside the user's expectation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to send the user's phone number to backend endpoints such as `/skill/xinyi/claim` without requiring a user-facing disclosure that personal data will be transmitted off-device/network for eligibility checking. Even if operationally necessary, undisclosed transmission of a phone number to backend services can violate user expectations and privacy requirements, especially when tied to registration and claim status.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table includes broad trigger phrases such as “参加活动”, which can plausibly appear in general conversation and may cause the xinyi-drink skill to activate when the user did not clearly intend to use this brand-specific skill. In this skill’s context, unintended invocation is more dangerous because the skill can request or reuse a phone number and trigger reward or order-query flows, increasing the chance of privacy-impacting actions under ambiguous intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly asks the user to send a phone number tied to a mini-program account, but the example provides no notice about why the number is needed, how it will be used, whether it will be stored, or how it will be protected. This creates a privacy and social-engineering risk because users are encouraged to disclose personal data in-chat without informed consent or minimization guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This workflow normalizes sending a bound phone number to claim benefits, but omits any privacy warning, consent language, or explanation of handling practices. Because the requested number is linked to an account, misuse could expose account-related information or enable unauthorized lookups and phishing-style impersonation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example again prompts the user to provide a bound phone number without any warning about privacy, data use, or security. Repeating this pattern in user-visible guidance increases the likelihood that users will treat disclosure of personal identifiers as routine, making the skill more susceptible to privacy harm and abuse if the data is mishandled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code renders the user's phone number and its source directly into the generated context output, and other flows also prompt for and echo the number. Phone numbers are sensitive personal data; exposing them in responses or prompt context increases the risk of unnecessary disclosure, logging leakage, and downstream reuse beyond the minimum needed to fulfill the request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists a user's mobile number and activity participation state to a local JSON file, creating a privacy risk if the host is shared, backed up, or otherwise accessible to other local processes or users. Although the file is chmod'd to 0600, there is no encryption, no retention limit, and the path can be redirected via an environment variable, so sensitive personal data may be stored longer or in less protected locations than intended.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The keyword list includes vague everyday phrases such as '困了', '下午茶', and '提神' that are not uniquely tied to this brand or skill action. In an agent ecosystem, these broad triggers can cause unintended invocation of a networked skill that may access local state or prompt for personal data, increasing the chance of privacy-invasive or confusing behavior without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The top-level description presents the skill as a convenience feature but does not clearly warn users that it may transmit and locally store a phone number, order history, and activity status. Because the manifest elsewhere explicitly defines personal-data handling and local caching, this omission can mislead users into invoking the skill without informed consent, especially on shared machines.

Ssd 3

Medium
Confidence
91% confidence
Finding
The context rendering and surrounding logic combine phone number handling, activity status, and recommendation-related user context in one response-building path. This encourages broader use of personal data than is strictly necessary and can expose or normalize reuse of identifiers and behavioral data for marketing-style personalization without clear consent boundaries.

Ssd 3

Medium
Confidence
95% confidence
Finding
This logic instructs the assistant to summarize completed orders, purchased items, and visited stores from order history in conversational replies. Even if useful, this is personal behavioral data, and surfacing it conversationally can reveal sensitive habits or location-associated information to unintended viewers or logs, especially when not tightly scoped to the user's explicit request.

Ssd 3

Medium
Confidence
93% confidence
Finding
The activity flow repeatedly instructs the assistant to solicit the user's bound phone number as part of the conversation. Repeated collection prompts increase the chance of oversharing, capture in logs/transcripts, and use of a high-value identifier without clear disclosure, verification, or safer alternatives.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal