ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jinguyuan Dumpling Skill

v0.3.3

金谷园饺子馆信息查询与在线排队取号。查询餐厅信息、外卖配送、生饺子打包、Wi-Fi、最新动态;内嵌美团排队 Skill 支持在线取号、查进度、取消排队。

0· 246·0 current·0 all-time
by@jinguyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (restaurant info + online queue) align with the included code (MCP calls for info + embedded Meituan queue scripts). However the skill embeds an auto‑updating Meituan queue component and an OAuth helper that write/read local token files and install a CLI — capabilities beyond simple read-only info lookup and not declared in the manifest.
!
Instruction Scope
Runtime instructions require calling an embedded meituan-queue script and a version_checker before each invocation; those scripts perform network requests, may download and extract archives into the skill directory, and perform OAuth flows. The SKILL.md also instructs LLM-driven placeholder replacement of tokens into shell commands (sensitive). The docs reference reading/writing ~/.xiaomei-workspace/mt_passport_auth.json and using MT_QUEUE_TOKEN environment variable — none of these filesystem/env interactions are declared in skill.json.
!
Install Mechanism
No formal install spec, but the included version_checker.py downloads a zip from a remote CDN (version_config.json → s3plus-shon.meituan.net) and extracts it into the skill directory at runtime. This is effectively remote code fetch+extract executed by the agent and is a high-risk pattern (arbitrary remote code can be written into the skill directory).
!
Credentials
skill.json declares no required env vars, yet instructions rely on/mention multiple env vars and files (MT_QUEUE_TOKEN, MT_PASSPORT_CLIENT_ID, MT_PASSPORT_ENV, MT_PASSPORT_AUTH_FILE, etc.) and a cached token file in the user's home. That mismatch (undeclared but required/used secrets and filesystem paths) is disproportionate and surprising.
Persistence & Privilege
always:false (good). But the skill's behavior includes persistent artifacts: writing token cache to ~/.xiaomei-workspace and updating files in the skill directory via version_checker. Those are persistent privileges the skill exercises at runtime and should be treated carefully (not expressed as 'always' but still persistent on disk).
What to consider before installing
What to consider before installing: - The skill does what it claims (restaurant info + Meituan queue) but its embedded Meituan component will: (a) run an OAuth/install flow that can install/use an mt-passport CLI and store tokens at ~/.xiaomei-workspace/mt_passport_auth.json, and (b) perform an automatic version check that can download and extract a zip from a remote CDN into the skill directory. Both behaviors give the skill the ability to write persistent files and to pull new code from the network at runtime. - Risks: remote code updates (the version checker will fetch and extract archives), token handling/exposure (LLM is instructed to inline tokens into shell commands), and undeclared env/files (the manifest doesn't list the env vars/files the scripts actually use). These increase the chance of accidental credential exposure or execution of unexpected code. - Recommendations: 1. If you want to use it, run it in an isolated/sandboxed environment (not a production machine) so updates and scripts cannot affect sensitive data. 2. Require explicit user confirmation before allowing the skill to perform the version update or install CLIs; prefer to run the scripts with visibility rather than letting them auto‑update each invocation. 3. Inspect and vet the remote CDN URLs in version_config.json and the downloaded package contents before trusting automatic updates; consider locking the skill to a vetted local copy and disabling the updater. 4. Be cautious about providing tokens or letting the agent perform OAuth on your behalf; if possible, supply a short‑lived token and verify where it will be stored and used. 5. If you cannot review the code and CDN content, decline installation or mark the skill as agent-invocable only with human approval (no autonomous runs). Summary: coherent purpose but contains runtime behaviors (automatic remote updates, token storage and inline token injection into shell commands) that are high risk if used without review — treat as suspicious and take the precautions above before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9781091mnn6n3cc24kr0fjcms84j7ce

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments