ClawHub

Sushiro Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a Sushiro queue helper, but it includes a shared bearer token and a generic raw API passthrough that could be used beyond normal queue lookup.

Install only after reviewing the token and raw API behavior. A safer version should remove the shared bearer token, rotate the exposed credential, delete or strictly allowlist the raw command, and narrow auto-invocation so network calls happen only for explicit Sushiro queue lookup requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation embeds and operationalizes a shared Bearer token for direct backend access, effectively disclosing a reusable credential to anyone who can read the skill. Even if the intended use is only public queue lookup, publishing a credential and required anti-bot headers lowers the barrier for unauthorized automated access, scraping, and abuse against the upstream service.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The `raw` subcommand exposes an unrestricted pass-through to the upstream mini-program backend while automatically attaching the embedded bearer token. That expands the skill from a narrowly scoped queue-status helper into a generic authenticated API client, enabling backend exploration and access to undocumented endpoints beyond the declared functionality.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
`cmd_raw` accepts arbitrary API paths and forwards them directly to `_get`, which includes the bearer token and other expected headers. This creates an unjustified backend exploration primitive that can be abused to enumerate or query unintended authenticated endpoints using the skill's built-in credentials.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README explicitly states the skill will auto-call when users ask broad terms like '寿司郎/排队/等位', which are common conversational phrases and can overlap with ordinary discussion rather than clear tool-use intent. This increases the chance of unintended invocation and outbound requests to the vendor backend, creating privacy and safety issues if user text is sent or interpreted as parameters without sufficiently narrow activation criteria.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented `sushiro raw <path>` capability allows arbitrary requests under `/wechat/api/2.0/<path>`, which expands the skill from a bounded queue-checking tool into a generic API caller. Without strong warnings, allowlisting, or validation, this can enable unexpected outbound access to undocumented endpoints, misuse of the embedded shared bearer token, and exfiltration or abuse beyond the stated skill purpose.

Missing User Warnings

High
Confidence
98% confidence
Finding
The reference not only reveals a shared credential but gives precise instructions for how to use it successfully, including mandatory Referer and TLS/client-behavior notes. That turns the document into a practical abuse guide for accessing the mini-program backend outside its intended client, which can enable credential reuse, mass scraping, and policy circumvention.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script ships with a hardcoded default bearer token and silently sends it on every request, with no clear user disclosure that the skill is using shared credentials to access the backend. Embedded shared tokens are sensitive: users may unknowingly rely on unauthorized access, and the token can be extracted, reused, revoked, or abused outside the intended client.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal