ClawHub

惠省优惠助手

Security checks across malware telemetry and agentic risk

Overview

The skill performs the coupon task, but it also installs and runs under-disclosed authentication, device-fingerprinting, global HTTP-patching, scheduled automation, and self-updating background components.

Install only if you trust this publisher and are comfortable logging into Meituan through it. Before using it, review that it can store local tokens and device identifiers, run scheduled coupon claims, inspect diagnostic logs, patch outgoing HTTP requests for signing, and start a CLIGuard background updater. Prefer not installing until the publisher narrows or clearly documents the daemon, updater, fingerprinting, and token-handling behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (91)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 清除 pt-passport CLI 本地缓存的 Token
    cli_cleared = False
    try:
        result = subprocess.run(
            ["pt-passport", "logout", "--client_id", CLIENT_ID],
            capture_output=True, text=True, timeout=10
        )
Confidence
70% confidence
Finding
result = subprocess.run( ["pt-passport", "logout", "--client_id", CLIENT_ID], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 同时清除 pt-passport CLI 缓存
    try:
        subprocess.run(
            ["pt-passport", "logout", "--client_id", CLIENT_ID],
            capture_output=True, text=True, timeout=10
        )
Confidence
70% confidence
Finding
subprocess.run( ["pt-passport", "logout", "--client_id", CLIENT_ID], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if is_windows:
        DETACHED_PROCESS = 0x00000008
        CREATE_NEW_PROCESS_GROUP = 0x00000200
        subprocess.Popen(
            ['node', _CLIGUARD_WRAPPER_PATH, '--start'],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
70% confidence
Finding
subprocess.Popen( ['node', _CLIGUARD_WRAPPER_PATH, '--start'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNULL,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env=env,
        )
    else:
        subprocess.Popen(
            ['node', _CLIGUARD_WRAPPER_PATH, '--start'],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
70% confidence
Finding
subprocess.Popen( ['node', _CLIGUARD_WRAPPER_PATH, '--start'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNULL,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"const r=addCommonParams(" + json.dumps(url_str) + ");"
            "console.log(r.url)"
        )
        result = subprocess.check_output(['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE)
        injected = result.decode('utf-8').strip()
        return injected if injected else url_str
    except Exception as e:
Confidence
70% confidence
Finding
result = subprocess.check_output(['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"const {{signRequest}}=require({json.dumps(_CLIGUARD_PATH)});"
            f"console.log(JSON.stringify(signRequest({json.dumps(method.upper())},{json.dumps(url_str)},{json.dumps(body_hash)})))"
        )
        result = subprocess.check_output(
            ['node', '-e', js_code],
            timeout=5,
            stderr=subprocess.PIPE,
Confidence
70% confidence
Finding
result = subprocess.check_output( ['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"const {{signRequest}}=require({json.dumps(_CLIGUARD_PATH)});"
            f"console.log(JSON.stringify(signRequest({json.dumps(method.upper())},{json.dumps(url_str)},{json.dumps(body_hash)})))"
        )
        result = subprocess.check_output(
            ['node', '-e', js_code],
            timeout=5,
            stderr=subprocess.PIPE,
Confidence
70% confidence
Finding
result = subprocess.check_output( ['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
这是不匹配。描述只说“帮用户领取美团优惠券并查询当日优惠活动”,而代码除了领券外,还包含完整的认证授权体系、Token/设备标识管理、二维码生成、日志加解密与诊断、环境初始化和依赖安装等能力,这些都属于未在描述中体现的额外能力。尤其是代码中并没有看到独立的“查询当日优惠活动”实现,更多是在领券接口返回中附带 activity_name/activity_link;而其核心显式能力之一反而是账号授权与会话管理。虽然这些能力部分可作为领券的支撑,但从审计标准看,代码执行了描述未提及的重要能力,因此应判定为 mismatch。

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest limits the skill to helping users领取优惠券并查询当日优惠活动, triggered by explicit coupon/savings/promotions intent. Step 4 expands behavior into registering cron jobs, storing reminder state, automatically re-running the coupon flow on a schedule, and sending proactive reminder-style outputs, which is materially broader than one-shot coupon retrieval or promotion query.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The manifest describes a consumer-facing Meituan coupon claiming and daily promotion lookup assistant. A separately triggerable diagnostic mode that reads and executes a doctor document is an operational support capability, not an obvious or declared part of that user-facing purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The manifest describes a skill for helping users claim Meituan coupons and query promotions. In this diagnostic module, the agent is directed to extract `user_token` from `~/.xiaomei-workspace/auth_tokens.json` and pass it to `issue.py` for a real API call, which is a credential-inspection and live-operation capability not justified by the manifest's narrow coupon-assistance description.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill is described as helping users领取优惠券 and查询优惠活动, but this document adds capabilities to inspect authentication logs and coupon issuance logs under `/tmp/huisheng`. Reviewing internal auth/issue logs is a debugging and operational-audit function rather than an obvious requirement of the declared end-user coupon service.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The manifest describes helping users claim Meituan coupons and check current discounts. In addition to that purpose, the code reads `XIAOMEI_AUTH_FILE` or `~/.xiaomei-workspace/auth_tokens.json` to obtain a `device_token`, which is then used to encrypt log entries; accessing unrelated local auth state is not an obvious requirement for issuing or querying coupons.

Description-Behavior Mismatch

Low
Confidence
78% confidence
Finding
The manifest presents the skill as a user-facing coupon claim and promotion query tool. The code also creates and appends encrypted execution records under the system temp directory, which is a separate persistence behavior not described in the manifest and not necessary to understand from the stated user intent.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The skill manifest describes helping users领取优惠券并查询优惠活动, which would reasonably involve Meituan API requests, but this vendored module also resolves code from a user home update directory, compares versions, and starts a persistent Node.js daemon. Those software-maintenance and background process behaviors are not implied by the stated end-user coupon/query function.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
On import, the module patches requests, httpx, and urllib globally so that all outgoing HTTP calls in the host process can have URLs rewritten and headers injected. A coupon helper skill may need to sign its own Meituan requests, but globally intercepting unrelated traffic is a broader capability not justified by the manifest's limited user-facing purpose.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The resolver prefers JavaScript under ~/.cliguard/cliguard-updates when it appears newer, and later executes it via Node.js. Remote-update code loading is a powerful capability that exceeds what is needed to help users claim coupons or view promotions, especially since the manifest does not mention dynamic code updates.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
This file does substantially more than support a user-facing coupon or promotion lookup flow: it creates lock/PID files, starts and stops a detached daemon, kills prior processes, and respawns itself in the background. A coupon-claiming skill would not ordinarily need autonomous background process lifecycle management, making this capability unjustified by the manifest's stated purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The wrapper fetches version metadata from a remote URL, downloads files over HTTP(S), verifies signatures, writes them into an update directory, and switches execution to the updated package. Remote code update infrastructure is a platform-management capability, not an obvious requirement for helping users claim Meituan coupons or query daily promotions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest describes a consumer-facing Meituan coupon and promotion skill, but this file is dominated by obfuscated infrastructure code for module resolution, daemon control, version checks, remote update fetching, signature verification, and process restart. That behavior does not align with the claimed end-user business function in the manifest.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The file implements a fingerprinting system that gathers OS details, timezone, locale, host/user environment data, directory counts, boot/install times, and persistent identifiers via functions such as getFingerprint/getId/signRequest. For a skill whose stated purpose is helping users领取美团优惠券并查询优惠活动, this level of device profiling is not an obvious or justified capability.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The module imports child_process and uses execSync to run OS-specific commands for system inspection, including reading Linux release data and querying system timestamps and platform metadata. Spawning shell commands to interrogate the host goes beyond what is reasonably necessary for helping a user find or claim Meituan coupons.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file constructs paths under the user's home directory, reads/writes JSON state, and uses a lockfile workflow to persist and reuse a local ID. Persistently tracking a local device identifier is not justified by a manifest focused on coupon retrieval and promotional queries.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description says the skill triggers not only on explicit coupon-saving intent but also whenever the user is involved in Meituan-covered consumer decision-making. That scope is very broad and overlaps with ordinary discussion about eating out, travel, or entertainment, which could cause unintended invocation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal