1688上货助手

Security checks across malware telemetry and agentic risk

Overview

The skill matches its product-upload purpose, but it stores an account token and includes an overbroad MCP client that can call arbitrary tools or send the token to an overridden server.

Install only if you are comfortable storing your 商机助理 sToken in the skill's config file and letting the bundled Python script contact the configured MCP service. Avoid using --server-url with any untrusted host, review product-upload confirmations carefully, and rotate the token if you think the config or command history may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill requires reading `skill-config.json`, writing authorization tokens back to disk, and making outbound MCP/network calls, yet it declares no permissions. This creates a hidden-capability problem: a caller or reviewer cannot accurately assess what data the skill can access or modify, which increases the risk of token misuse, unintended file changes, and remote invocation without informed consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented purpose is a narrow one-click product upload flow, but the referenced behavior indicates the underlying tooling can enumerate available MCP tools, invoke arbitrary tool names, persist session IDs locally, and override the server address. That effectively turns the skill into a generic remote MCP client, which greatly expands attack surface and could enable unauthorized tool execution, data access, or exfiltration beyond the stated business workflow.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script implements a general-purpose MCP client with arbitrary tool listing and tool invocation, which is broader than the skill's declared purpose of business-upload/account/authorization workflows. In a skill ecosystem, this capability expansion increases the chance of unauthorized actions against whatever tools the remote MCP server exposes, especially if orchestration logic assumes the skill is narrowly scoped.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The --server-url override allows redirecting authenticated MCP traffic to any endpoint, even outside the configured service. Because the client also sends the sToken header and request payloads to that endpoint, an attacker who can influence invocation parameters could exfiltrate credentials or induce the skill to interact with a malicious server.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger conditions are broad and keyword-based, including mandatory invocation when certain terms appear, which can cause the skill to activate unexpectedly. In a skill that reads tokens, writes configuration, and performs remote actions, accidental activation can lead to unintended account queries, authorization handling, or upload operations on behalf of the user.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The authorization-save flow is triggered by inconsistent and weakly scoped keywords such as `保存授权`, `修改授权`, and later `修改账号`, which increases the chance of misinterpreting ordinary conversation as a request to overwrite stored credentials. Because this flow writes `sToken` into persistent config, a false trigger can corrupt credentials or allow social-engineering-style token replacement.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal