Back to skill

Security audit

1688运营数据日报

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent 1688 reporting purpose, but it gives broad browser-extension access to sensitive seller data without tight caller controls.

Install only if you trust the publisher with your 1688 seller analytics and Feishu app credentials. Before use, restrict the extension to 1688 domains, replace wildcard external extension access with an allowlist, clear stored data regularly, and avoid using the login/QR flow in shared chats unless every recipient is trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (34)

Tainted flow: 'OUTPUT' from os.environ.get (line 31, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
sys.exit(2)

        # 保存
        with open(OUTPUT, 'w', encoding='utf-8') as f:
            json.dump(all_data, f, ensure_ascii=False, indent=2)

        sycm_list = all_data.get('data', {}).get('sycm', [])
Confidence
84% confidence
Finding
with open(OUTPUT, 'w', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while explicitly instructing use of shell commands, file reads/writes, environment-based secrets, browser/CDP control, and outbound network calls to Feishu. This weakens policy enforcement and user review because the real capability surface is much broader than the declared metadata suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill as a 1688 data fetcher, but the body also defines login orchestration, persistent browser profile handling, data storage/exposure via extension APIs, report generation, and external report delivery to Feishu. This materially understates the skill's authority and data flows, increasing the risk of users invoking credentialed scraping and exfiltration features they did not expect.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The background service exposes collected seller-workbench data through chrome.runtime.onMessageExternal, allowing external extensions/apps to request stored sycm/work data. There is no sender allowlist, origin verification, or per-request authorization in this file, so any permitted external caller could retrieve accumulated business data well beyond the stated in-session fetching purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This code creates a cross-extension data access interface that returns locally stored scraped data to external requesters without validating who is asking. In the context of a data-fetching skill for 1688 seller data, this materially increases the attack surface by turning internal collected data into a reusable exfiltration API.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata says it fetches 1688 seller workbench data, but this code also harvests extensive SYCM business-intelligence data such as ranking trends, traffic sources, keywords, inquiries, and trade metrics. This is a material scope expansion that enables collection of sensitive commercial analytics beyond the declared purpose, increasing the risk of unauthorized surveillance or misuse.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code derives stable account identifiers from authenticated cookies such as loginId, unb, memberId, and token-derived values, even though the stated purpose only describes data fetching. Harvesting identifiers creates linkability across sessions and accounts, turning ordinary scraping into account-level tracking.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The content script forwards harvested data through runtime messaging and also stores it on window.__CLAW_1688_DATA__. This broadens internal exposure of sensitive business data to other extension components and potentially to page-context access paths, which is not necessary for a narrowly scoped fetcher.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The manifest grants host access to all HTTPS sites via "https://*/*" even though the extension’s stated purpose is limited to collecting data from 1688. In a browser extension, broad host permissions significantly expand the blast radius: any compromise, misuse, or future code path could read from or interact with unrelated sites, including authenticated pages, making over-privilege a real security issue.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The bridge exposes multiple collection modes beyond the stated workbench-focused purpose, including items, details, summary, sycm, full, and raw data access. This creates a capability-expansion issue: any script able to call this bridge can request broader 1688 data than users would reasonably expect from the skill description, increasing the risk of over-collection and unauthorized secondary use of extension-held data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The getRawData/clawRaw path provides an unrestricted dump of all extension data via GET_ALL_DATA, which is especially risky because it bypasses any narrower business-purpose boundaries implied by the skill metadata. If invoked by an external script or untrusted page context with access to this bridge, it could expose sensitive seller, account, or operational data in bulk.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The popup exposes a concrete `chrome.runtime.sendMessage` example using a fixed extension ID and an `OPEN_CLAW_API` action with broad modes such as `full`, `sycm`, `work`, and `summary`, which suggests a generic cross-context data access surface rather than a narrowly scoped current-page capture UI. In a data-harvesting extension for seller-console and analytics data, this increases the chance that other extension components or external callers with access to the runtime messaging interface can retrieve accumulated sensitive business data beyond the user's immediate action.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module's behavior materially exceeds its stated purpose of data fetching by adding browser control capabilities such as tab creation, navigation, screenshot capture, and cookie clearing. In a skill context, that expanded authority increases the chance of unauthorized browsing actions, collection of unintended sensitive page content, and destructive session changes.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The screenshot function can capture arbitrary page contents and persist them to local storage, which may include account data, messages, tokens visible in the UI, or other sensitive business information. That capability is not clearly justified by a seller-workbench data-fetching skill and broadens the data exposure surface significantly.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using the generic trigger keyword “登录” makes accidental invocation likely during ordinary conversation, especially because this skill can start browser automation and a persistent login polling workflow. In context, unintended activation is more dangerous because the skill also handles QR-code login and can message images or push outputs to Feishu.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly documents `externally_connectable` with `"ids": ["*"]`, meaning any Chrome extension can message this plugin, yet it does not warn users that collected business/shop data may be accessible to other installed extensions or agent tooling. In this context, the plugin harvests potentially sensitive seller analytics, so lack of disclosure materially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide states that the plugin relies on page cookies and specific auth cookies to access logged-in seller data, but does not warn users about the resulting privacy and account-scope implications. Even if the extension does not directly exfiltrate cookies, it leverages authenticated browser state to retrieve sensitive operational data, which can surprise users and broaden the blast radius of misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that page data is automatically collected, persisted, and synchronized, but it does not clearly warn users that this may capture business, shop, analytics, and potentially sensitive operational data from 1688 pages without explicit per-page consent. In a browser extension context, silent automatic collection increases privacy and compliance risk because users may not understand what is being stored or exposed through the extension's interfaces.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents an external messaging API that allows other extensions or page scripts to request collected data, including detailed product, shop, sycm, and workbench information, but it does not clearly warn users about the trust boundary this creates. If external messaging is enabled without strict origin/extension allowlisting and user awareness, stored data could be exfiltrated by unauthorized or overly broad callers.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The external API returns collected stored data but this code shows no user-facing disclosure, consent flow, or warning that data may be shared outside the extension boundary. That lack of transparency increases the risk of silent data exposure, especially because the stored data appears to include business/account information gathered from 1688 pages.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script collects account identifiers and sensitive business analytics context without any visible notice, prompt, or in-file indication of user awareness. In this skill context, silent collection of seller identifiers and analytics is risky because the data is commercially sensitive and tied to authenticated sessions.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code makes authenticated requests with credentials included to backend APIs and transmits account-context data without visible disclosure to the user. Even if requests stay within 1688/SYCM domains, silent authenticated harvesting from a logged-in session can expose sensitive operational data without informed consent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Collected page and account data is sent to the background script without any visible disclosure or confirmation. This creates an additional trust boundary crossing where sensitive seller analytics may be aggregated, persisted, or relayed elsewhere outside the immediate page context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Bulk retrieval of raw extension data is exposed with no user-facing warning, consent flow, or indication that sensitive stored data may be returned. In the context of a data-fetching skill for seller workbench information, this makes silent mass access more dangerous because operators may assume limited scraping behavior rather than full internal data export.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Saving screenshots without any user-facing disclosure or confirmation is risky because users may not realize the skill can copy and persist visual data from authenticated browser sessions. In this context, lack of transparency makes otherwise powerful capture behavior more dangerous and easier to misuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/cdp_client.py:272