ClawHub

Roty Tiffin Skill

Security checks across malware telemetry and agentic risk

Overview

This ordering skill has a legitimate purpose, but it needs review because it can create live orders by default and includes under-disclosed browser automation with exposed credentials.

Review before installing. Use only after removing or isolating the Playwright automation scripts, rotating the exposed account password, making dry-run versus live behavior consistent, adding explicit confirmation before live orders, enforcing authorization on OpenClaw/product/allowlist paths, and redacting personal data from logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file claims the skill defaults to dry-run mode, but immediately provides ready-to-use live POST examples and an explicit trigger phrase to send data to a production endpoint. This mismatch can cause operators or downstream agents to transmit real customer order data under a false assumption of safety, especially because the examples include personally identifiable information and a live URL.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The function explicitly allows `openclaw_context=True` to bypass the normal `is_admin(sender_id)` authorization check before modifying the product database. If an untrusted caller can influence that flag or reach this code path through the runtime, they can create or overwrite product records without admin approval, which is a direct authorization bypass on a persistent data store.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The docstring materially understates what the script does: it does not merely prepare an order and stop early, it automates checkout steps, fills identity/contact fields, and uses embedded credentials. That mismatch can mislead reviewers or operators into executing a more sensitive workflow than expected, increasing the chance of unintended account use or order submission.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script detects a live login form and submits hardcoded credentials to a production food-ordering site. Even if described as a dry-run, this is real account access automation against a third-party service with no clear authorization boundary or user consent, creating risk of unauthorized account use and downstream transaction abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code drives a real browser through a full production ordering workflow: product selection, address entry, date selection, cart, checkout, personal details, and payment method selection. Stopping just before final confirmation does not eliminate risk, because it still performs unauthorized actions on a live service and could be trivially modified or accidentally advanced to place orders.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The docstring frames the script as a safe simulation that only logs clicks and stops before confirmation, but the implemented flow also logs actions to enter login credentials and customer PII during checkout. In an agent-skill context, this mismatch can mislead reviewers or operators into granting broader trust than warranted, increasing the chance that sensitive data is handled unexpectedly or that the script is adapted into a real automation path without adequate controls.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The fallback instruction allows execution via "the LLM or any existing hook" without defining a narrow, authenticated trigger or explicit approval boundary. In an agent environment, vague activation paths can cause unintended invocation of the handler, expanding the attack surface and enabling message processing outside the intended registration flow.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README instructs operators to run docker exec and restart commands that modify container state and service availability, but it does not warn about operational impact, required privileges, rollback steps, or validation safeguards. This increases the risk of accidental disruption, unsafe installation, or execution of unreviewed changes in a production-like environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The rules allow transmission of customer-identifying order data such as names, addresses, and phone numbers to a live external endpoint without any privacy notice, consent check, or data-minimization guard. In a skill that automates order creation, this materially increases the risk of unauthorized disclosure or mishandling of personal data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The alias "nv" is only two characters long and can match a wide range of unrelated user inputs, making it an overly broad trigger. In an agent or skill-routing context, short aliases increase the chance of accidental invocation, incorrect product selection, or prompt/intent confusion, especially when users use abbreviations casually.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code submits an order to an external system immediately after parsing a message, with no explicit confirmation step shown to the user before transmitting address, delivery dates, and product details. In a chat-driven workflow, parser mistakes, spoofed inputs, or accidental trigger phrases can cause unintended real-world orders and disclosure of personal/order data to the downstream service.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script contains hardcoded login credentials and automatically submits them to a live website without any runtime warning or consent check. Embedded credentials are a serious secret-management flaw: anyone with code access can recover and reuse them, and automated login broadens the risk of unauthorized account access and downstream purchases or data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script autofills personal contact information, including phone number and address, during checkout without prior disclosure or confirmation. In this skill context, that is more dangerous because it interacts with a real ordering flow, so silent use of personal data can cause privacy violations, mistaken orders, or leakage of real-world identity information to third parties.

Missing User Warnings

High
Confidence
99% confidence
Finding
Embedding plaintext credentials directly in source code is a serious secret-management failure, and this script uses them to log into a live service. Anyone with code access can reuse the credentials, and logs or repository history may preserve them indefinitely, enabling account compromise and fraudulent activity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script autofills personal information such as address and later name and phone into a live checkout flow on a third-party site. In the absence of documented consent, purpose limitation, or a test environment, this creates privacy and data-handling risk and can leak or misuse personal data through automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal