Back to skill

Security audit

Sf Express

Security checks across malware telemetry and agentic risk

Overview

This SF Express helper is coherent and transparent about local history and optional tracking lookups, with privacy and dependency upkeep considerations.

Install only if you are comfortable with local storage of tracking history and subscriptions under ~/.openclaw/data/sf-express. Use a trusted HTTPS tracking endpoint, avoid entering sensitive shipment numbers on shared systems unless needed, and prefer an updated dependency set if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises runtime behaviors that use environment variables, local file read/write, network access, and shell execution, but it does not declare corresponding permissions. This creates a trust and review gap: users and the platform cannot accurately assess what the skill may access or persist, which can enable unexpected data handling or outbound requests.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The trigger description includes broad, common phrases and many generic logistics intents, which can cause the skill to activate when the user did not specifically intend to use it. Unintended invocation matters more here because the skill may use local persistence and external endpoints, so accidental routing can expose shipment-related data to the wrong tool context.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
When `SF_EXPRESS_TRACKING_ENDPOINT` is configured, the skill automatically sends the user's tracking number to a remote endpoint without any user-facing notice or consent at the query call site. Tracking numbers can reveal shipment activity and may be sensitive business or personal metadata, so silent network transmission to an arbitrary configured endpoint creates a privacy and data-governance risk.

Session Persistence

Medium
Category
Rogue Agent
Content
## Local Persistence

When the local CLI/runtime code is used, this skill may create and persist local data under:

- `~/.openclaw/data/sf-express/sfexpress.db`
  - stores query history
Confidence
88% confidence
Finding
create and persist local data under: - `~/.openclaw/data/sf-express/sfexpress.db` - stores query history - stores shipment-subscription records - may store saved address records if those comman

Known Vulnerable Dependency: cryptography==46.0.5 — 5 advisory(ies): GHSA-537c-gmf6-5ccf (Vulnerable OpenSSL included in cryptography wheels); CVE-2026-34073 (cryptography has incomplete DNS name constraint enforcement on peer names); CVE-2026-39892 (Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed) +2 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
cryptography==46.0.5

Known Vulnerable Dependency: pillow==12.1.0 — 7 advisory(ies): CVE-2026-42309 (Pillow has a heap buffer overflow with nested list coordinates); CVE-2026-25990 (Pillow affected by out-of-bounds write when loading PSD images); CVE-2026-42311 (Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)) +4 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
pillow==12.1.0

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.