ClawHub

Taobao Operations

Security checks across malware telemetry and agentic risk

Overview

This Taobao operations skill is mostly a local report generator today, but it is documented and configured for customer auto-replies and automatic after-sales handling despite strong read-only and manual-approval claims.

Treat this as Review-worthy before connecting a real Taobao account. It is likely acceptable only as a local mock/report generator, but do not provide write-capable credentials or enable live customer replies, refunds, or after-sales automation until the publisher removes the read-only contradiction, enforces explicit approvals, documents API scopes, and adds clear start/stop and audit controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill repeatedly claims to be read-only and to require human confirmation, yet its documented commands include `cs-auto-reply --启动` and `after-sales --订单 ID 12345 --自动处理`, which imply autonomous interaction with customers and automatic post-sale actions. In an e-commerce operations context, this mismatch is dangerous because operators may trust the safety claims and enable automation that sends unauthorized messages, mishandles refunds/after-sales, or violates platform rules and customer-consent expectations.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README makes a strong safety claim that the skill is 'read-only' and does not automatically modify information, yet it also documents an 'inventory-sync' operation and writable report generation. This mismatch can mislead users or reviewers into granting the skill more trust or permissions than warranted, increasing the risk of unintended state changes or unsafe execution.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The stated guarantee '不自动修改任何信息' directly conflicts with advertising '库存同步', which commonly implies pushing inventory changes to another system. Contradictory safety guarantees are dangerous because operators may rely on the safer statement and invoke the skill in environments where write or sync actions should be prohibited.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata promises 'read-only', 'non-modifying', and 'manual confirmation', but the configuration explicitly enables automatic customer-service behavior and defines categories for automatic after-sales handling. That mismatch is security-relevant because downstream systems or reviewers may grant the skill broader trust than warranted, leading to unauthorized transactional actions such as refunds or customer communications without the expected human checkpoint.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file mixes statements about mandatory manual handling with separate configuration that allows automatic handling of selected after-sales cases, creating ambiguous operational boundaries. In a customer-service and compliance skill, such ambiguity can cause unsafe automation, policy violations, or mistaken refunds because operators may believe humans are always in the loop when some flows are actually automated.

Intent-Code Divergence

High
Confidence
88% confidence
Finding
The CLI exposes `cs-auto-reply` and `after-sales --auto` modes even though the surrounding documentation claims the tool only generates suggestions and does not automatically act. In an agent environment, this mismatch can cause operators or orchestrators to invoke autonomous business actions under false assumptions, weakening human-approval controls around customer communication and refunds.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The code includes entry points for automatic customer-service replies and automatic after-sales handling despite the skill metadata stating that such actions require human confirmation. Even though the current implementation is mostly stubbed output, exposing autonomous workflows in a supposedly human-in-the-loop skill creates a dangerous trust gap and could lead to unintended customer-facing or financial actions if later wired to real APIs.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document makes a strong safety claim that the skill is read-only and does not automatically modify anything, yet elsewhere states that three classes of after-sales cases are handled automatically. That contradiction can mislead operators and reviewers about the actual authority and behavior of the skill, increasing the risk of unintended business actions or over-trusting automation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The stated safety guarantees are internally inconsistent: the file promises 'read-only' and 'no automatic modification' while also describing automatic after-sales processing for some cases. In a commerce/customer-service context, this mismatch is dangerous because users may grant trust or deploy the skill under false assumptions, leading to unauthorized order, refund, or support actions.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The claim of being "100% compliant" with "zero violation risk" is an unjustified absolute assurance, and the surrounding security language should increase suspicion rather than reduce it. Such guarantees can cause users to lower scrutiny and approve risky automation in a regulated marketplace setting, amplifying harm from any undocumented behavior or policy drift.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 版本:1.0.0

# HTTP 请求
requests>=2.31.0

# 数据处理
pandas>=2.0.0
Confidence
93% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0

# 数据处理
pandas>=2.0.0
openpyxl>=3.1.0

# 环境变量加载
Confidence
90% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 数据处理
pandas>=2.0.0
openpyxl>=3.1.0

# 环境变量加载
python-dotenv>=1.0.0
Confidence
91% confidence
Finding
openpyxl>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.1.0

# 环境变量加载
python-dotenv>=1.0.0

# 日志
colorlog>=6.7.0
Confidence
88% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0

# 日志
colorlog>=6.7.0
Confidence
87% confidence
Finding
colorlog>=6.7.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal