ClawHub

QQ邮箱发票下载器

Security checks across malware telemetry and agentic risk

Overview

The skill matches an invoice-downloading purpose, but it includes hardcoded mailbox credentials and under-disclosed ways to send sensitive invoice data to outside services.

Review before installing. Do not run this as-is with real accounts until the publisher removes and rotates the embedded QQ and Telegram secrets, disables or gates SSL verification bypass, clearly documents MiniMax/Telegram data sharing, and requires user-supplied credentials through secure configuration only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (38)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document exposes a real-looking QQ邮箱账号 and an authorization code directly in plaintext configuration examples. Even in documentation, embedded mailbox credentials can be reused by anyone with access to the file, enabling unauthorized email access, invoice retrieval, and further compromise of linked services or sensitive financial data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains hardcoded IMAP credentials and uses them to access a real mailbox, which is a direct secret exposure and unauthorized access risk if the code is shared, logged, or reused. In this skill context, mailbox access is especially sensitive because it enables reading potentially confidential invoices and downloading linked documents without interactive consent.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module description says it processes pending invoices in a browser, but the code also logs into email, enumerates messages, extracts links, downloads files, and modifies an Excel report. This mismatch is dangerous because it hides the true operational scope from reviewers and users, reducing informed consent and increasing the chance that sensitive mailbox and filesystem actions occur unexpectedly.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The script description says it is a direct attachment-link downloader, but the implementation also logs into an email account, searches mailbox contents, downloads files, extracts archives, and edits an Excel report. This mismatch reduces transparency and can mislead reviewers or users about the actual data access and side effects, which is risky in an agent skill context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains hardcoded IMAP server details and live-looking email credentials that are unrelated to the actual invoice download flow shown in the function. Even though they are not used in this snippet, embedded credentials expose sensitive account access to anyone who can read the code and can enable mailbox compromise, data theft, or reuse against other systems if the password is shared.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module references `requests.exceptions.*` in the class-level `EXCEPTION_MAPPINGS` dictionary, but `requests` is never imported. Because that dictionary is evaluated at import time, importing this file will raise `NameError` and break the entire error-handling module, creating a denial-of-service condition for any code that depends on it.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The tool transmits user-supplied HTML content and page descriptions to a third-party LLM service in order to generate selectors. That creates a real data exposure risk because HTML may contain sensitive business data, tokens, identifiers, or internal application structure that leaves the local environment without minimization or consent controls.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script contains hardcoded email credentials and uses them to log into an IMAP mailbox, then scans up to 500 messages for invoice-related content and download links. This is a true security issue because it enables credentialed inbox access beyond simple browser automation, exposes secrets in source code, and creates a pathway for unauthorized email harvesting if the file is reused, leaked, or modified.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module docstring describes the skill as browser automation for processing invoices, but the implementation also performs authenticated email access and inbox scanning. This mismatch is dangerous because hidden credential use and mailbox harvesting reduce transparency, making it easier for operators to run the tool without understanding the actual data access and privacy implications.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code uploads a local report file from Z:\OpenClaw\InvoiceOC to Telegram via sendDocument, which is an external third-party service. In an unknown-purpose skill, automatic export of local business files is a clear data exfiltration capability and could leak sensitive invoice or financial information outside the trusted environment.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script contacts the Telegram Bot API to enumerate recent updates and extract chat metadata, creating an outbound network dependency unrelated to local report generation. In this context, discovering a recipient automatically makes later exfiltration easier and expands exposure of operational metadata to an external platform.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation presents sensitive configuration, including mailbox account details and an authorization code, without any warning, masking, or safe-handling guidance. This materially increases the chance that operators copy insecure patterns into production or that exposed secrets are treated as normal configuration, leading to credential leakage and unauthorized access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document describes a tool that automatically logs into QQ Mail, searches invoice emails, and downloads PDF attachments, but it provides no warning that the workflow involves access to privacy-sensitive email content and writing downloaded files to disk. In an agent skill context, omission of these warnings can mislead users or operators about the sensitivity of the permissions and data handling involved, increasing the risk of unauthorized access, overcollection, or unsafe deployment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes automatic login to a personal QQ mailbox, searching invoice emails, downloading attachments, and browser automation across third-party billing sites, but it does not clearly warn users about the breadth of mailbox access, financial-document handling, or privacy consequences. In the context of an agent skill, this can lead users to grant sensitive email and invoice access without informed consent, increasing the risk of over-collection, credential misuse, and unintended exposure of personal or corporate financial data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description states that it will automatically log into QQ Mail, download invoice attachments, extract ZIP archives, and delete compressed files, but it does not present these as explicit user-facing risks or require informed consent. This is dangerous because users may expose mailbox contents, trigger destructive file operations, or process sensitive financial documents without understanding the privacy and data-loss implications.

Missing User Warnings

High
Confidence
97% confidence
Finding
The LLM fallback feature may send invoice-related content or metadata to the MiniMax service, but the skill documentation does not warn users that sensitive financial or personal information could leave the local environment. In the context of invoice emails, this creates a significant privacy and compliance risk because invoice contents can include names, addresses, tax identifiers, amounts, and other regulated business data.

Missing User Warnings

High
Confidence
99% confidence
Finding
Documenting automatic SSL verification downgrade without a strong warning normalizes insecure network behavior and implies the tool may retry connections with certificate validation disabled. If implemented, this exposes login sessions, mailbox contents, and downloaded invoices to man-in-the-middle interception or tampering, which is especially dangerous for email and financial document workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
Sensitive email credentials are embedded and used without any user-facing warning, which means the skill can silently authenticate to a mailbox and process potentially private business communications. In this context, the lack of disclosure makes the credential use more dangerous because the skill appears narrower than its actual access level.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script downloads PDFs through browser automation and writes them to disk without an explicit prior warning or confirmation, which can unexpectedly modify the local filesystem. Because download links are sourced from email content, this also increases risk of saving untrusted or unwanted files if messages are spoofed or compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code opens and overwrites an existing Excel report without explicit warning, which can silently alter business records and make recovery difficult if the file is shared or authoritative. In an automation skill handling invoices, undocumented report mutation is materially risky because it affects downstream accounting or audit workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script contains hard-coded live email credentials and uses them to access an IMAP account. Embedding secrets in source code is dangerous because anyone who can read the file can reuse the credentials to access the mailbox, potentially exposing sensitive email content and enabling further account compromise.

Missing User Warnings

High
Confidence
94% confidence
Finding
The code fetches and scans mailbox contents to extract invoice links without clear disclosure or consent at runtime. In an agent/skill context, hidden reading of email content is privacy-sensitive and could expose unrelated messages, metadata, and embedded links if the script is reused or modified.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded IMAP credentials expose a real mailbox username and password directly in source code, enabling unauthorized email access if the file is shared, logged, or committed to version control. In this skill, those credentials are immediately used to log into a live mail account and process potentially sensitive invoice emails, increasing confidentiality and account-compromise risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes downloaded ZIP/PDF content to disk, extracts archives, and later modifies an Excel report without any confirmation, preview, or safety gate. In an agent setting, silent filesystem changes based on email-derived links can cause unintended data modification, storage of untrusted files, and operational surprises for the user.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded email credentials are present in plain text with no warning, consent flow, or documentation, which makes unauthorized account access trivial for anyone with repository or file access. In this skill context, the credentials are especially suspicious because the observable behavior is browser-based invoice downloading, not mailbox access, so the secret appears unnecessary and increases the chance of covert misuse.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal