Back to skill

Security audit

1688运营数据日报

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly purpose-aligned, but it handles sensitive seller analytics through overbroad extension access and recurring outbound reporting that should be reviewed carefully.

Install only if you are comfortable giving this skill access to authenticated 1688 seller analytics and Feishu delivery credentials. Before use, narrow extension host permissions to required 1688 domains, restrict externally_connectable IDs to trusted callers, disable or explicitly approve the cron job, keep Feishu secrets out of shared workspaces, and clear local extension/report data when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (36)

Tainted flow: 'OUTPUT' from os.environ.get (line 31, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
sys.exit(2)

        # 保存
        with open(OUTPUT, 'w', encoding='utf-8') as f:
            json.dump(all_data, f, ensure_ascii=False, indent=2)

        sycm_list = all_data.get('data', {}).get('sycm', [])
Confidence
90% confidence
Finding
with open(OUTPUT, 'w', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented workflow clearly uses shell execution, file I/O, environment secrets, and outbound network access. This undermines review and consent boundaries, making it easier for a user or platform to invoke a far more privileged automation flow than the manifest suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is narrow data fetching, but the skill also performs browser automation, login QR handling, report generation, scheduled execution, and outbound Feishu delivery. This mismatch hides materially different behaviors, including credential use and data exfiltration paths, from anyone relying on the description to assess risk.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documented workflow extends beyond data retrieval into credential-backed outbound messaging to Feishu. That creates an external transmission channel for collected business data, which is a materially different trust boundary than a local fetch-only skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The cron job enables autonomous daily collection, report generation, and Feishu delivery without an interactive approval step each run. In context, this increases the risk of silent recurring exfiltration of store analytics and continued use of stored credentials beyond the user's immediate intent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The background script exposes a generic external messaging API that returns collected `sycm` and `work` data to external callers. If the extension is configured to allow external messaging, another extension or approved origin could retrieve sensitive business data in bulk, extending use beyond the stated seller-workbench capture purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file implements external extension/API access for stored seller and SYCM data without demonstrating any authorization checks on the caller beyond Chrome's external messaging mechanism. In a data-collection extension, exposing a reusable external API materially increases the attack surface and enables cross-extension data harvesting if trust boundaries are misconfigured.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata describes seller workbench data fetching, but this content script also performs broad authenticated collection from sycm.1688.com, including company identity, rank trends, traffic, inquiry, transaction, and keyword analytics. This scope expansion is dangerous because users or reviewers may consent to one business function while the code silently harvests materially more sensitive business intelligence than advertised.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The header comment claims the script automatically extracts product data, but the implementation actually gathers seller account identifiers and commercial analytics. Misstating functionality is risky because it obscures the real sensitivity of the harvested data and can defeat meaningful review or informed consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script's comments frame the behavior as product-data extraction, while the code collects store/account performance metrics and detailed analytics instead. This discrepancy is dangerous because it masks surveillance-like collection of business-sensitive data and makes the skill harder to assess accurately.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest claims the extension is for collecting data from 1688 shop pages, but host_permissions include both all HTTPS sites and localhost. This creates a much broader trust and data-access boundary than the stated purpose, enabling the extension to read from or interact with unrelated websites and local services if its code uses those permissions.

Scope Creep

High
Confidence
96% confidence
Finding
The declared scope is 1688-specific, but the effective permission scope extends to arbitrary HTTPS origins and localhost. In an agent skill or browser-extension context, this mismatch increases the risk of over-collection, credential exposure, and unexpected interaction with sensitive local web services.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The bridge exposes multiple collection modes beyond the stated seller-workbench purpose, including items, details, summary, sycm, and full/raw retrieval. In a browser-extension messaging bridge, this expands the accessible data surface and can enable over-collection or misuse of seller/account data if called by other scripts without strict scope enforcement.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The raw-data dump helper provides unfettered access to all stored data via extension messaging, which is especially risky if the extension stores sensitive account, business, or browsing-derived information. Exposing a bulk dump primitive makes accidental disclosure, unauthorized reuse, or exfiltration much easier than narrowly scoped queries.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module's stated purpose is data fetching, but it also exposes powerful browser-control capabilities: arbitrary navigation, screenshot capture, cookie clearing, and tab creation. In an agent skill context, this materially increases the attack surface because other components can abuse the helper to drive authenticated sessions, exfiltrate visible data, or disrupt user state beyond the narrow data-collection use case.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The script persists scraped seller/workbench data to local disk without that storage behavior being clearly disclosed by the skill description. This creates a privacy and data-governance issue because potentially sensitive business data is retained beyond the immediate session and may be accessible to other local users, processes, or later workflows.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Using a broad trigger like “登录” can activate this high-privilege skill in unrelated conversations about login issues. Because the skill can launch browser automation and initiate QR-code login workflows, overbroad activation increases the chance of unintended execution.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guide describes automatic collection of 1688 seller business data and exposure through an external API, but does not clearly warn users that potentially sensitive operational data may be transmitted to other agents or extensions. In this context, the data includes business metrics, traffic, transaction, and service-performance information that could be commercially sensitive if accessed without informed consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documented `externally_connectable` configuration allows all Chrome extensions (`"ids": ["*"]`) to message this plugin, creating a broad trust boundary around a component that exposes sensitive seller data. In the skill context, this is especially dangerous because the extension is designed to collect authenticated business intelligence from logged-in 1688 sessions, so any malicious local extension could potentially query or abuse that data channel.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide notes dependence on login cookies such as `_m_h5_tk` for authenticated data collection, but does not emphasize that this involves sensitive session-linked access to protected account data. In a browser extension context, omission of this warning can lead users to underestimate the privacy and account-risk implications of enabling automated collection from authenticated pages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that page content is automatically collected and sent to a background script, but it does not clearly warn users about the privacy implications, retention, or scope of collected data. In a browser extension context, silent automatic collection increases the risk of users exposing marketplace activity and business information without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented fields include sensitive business analytics and account-related data from 生意参谋 and workbench pages, such as company identity, transaction metrics, inquiry data, and operational performance indicators. Exposing that this data is collected and retrievable through extension APIs without strong warnings, access controls, or minimization guidance creates substantial risk of unauthorized harvesting or misuse of commercially sensitive information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The external API returns locally collected datasets with no user-facing notice, consent flow, or disclosure in this file. Even if technically intended, silently making collected business data available to outside consumers creates a privacy and confidentiality risk, especially given the skill context of scraping seller workbench information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reads stable account identifiers from cookies such as loginId, unb, memberId, and token-derived values to build a persistent accountId. Collecting identifiers from authenticated session context is sensitive because it enables tracking and attribution of harvested business data to a specific seller account, especially when later transmitted to other extension components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script makes authenticated requests with credentials included to internal 1688 APIs and computes signed requests using a page-exposed signing helper, allowing it to pull sensitive seller performance data not otherwise visible from simple page scraping. This is dangerous because it leverages the user's authenticated session to collect privileged business analytics at scale, increasing privacy and competitive-risk exposure if misused or exfiltrated.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/cdp_client.py:272