ClawHub

Jinguyuan Dumpling Skill

Security checks across malware telemetry and agentic risk

Overview

The restaurant helper appears legitimate, but its embedded queue/login flow can install global software, use cached account tokens, follow remote tool instructions, and self-update local skill files without strong containment.

Install only if you specifically trust this publisher and want Meituan account-based queueing. Avoid shared or production machines, expect local token caching and possible global npm changes, and be cautious with automatic remote updates and clickable ordering links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is restaurant info lookup and queueing, but the analyzed behavior reportedly extends to account authentication, token acquisition, shell-based global package installation, remote downloads from Gitee, and runtime self-updating of the skill. That combination materially expands the trust boundary and creates supply-chain and remote code execution risk far beyond what a user would reasonably expect from a restaurant helper skill.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file gives inconsistent authentication guidance: earlier sections require obtaining a token manually or via environment variable, while the error handling section says re-triggering the skill will automatically refresh the token. This can cause the agent to assume reauthentication is automatic and proceed with privileged queue operations under incorrect auth assumptions, increasing the chance of failed actions, confused-deputy behavior, or unsafe handling of credentials.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script silently executes `npm install -g qrcode` at runtime, which modifies the host system and introduces a network-driven supply-chain dependency during normal operation. This is dangerous because a QR-code helper for a restaurant/queue skill should not implicitly change global packages; if the npm registry, dependency chain, or execution environment is compromised, this behavior can install or execute untrusted code with the privileges of the current user.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill silently invokes an external local CLI to perform authentication and retrieve tokens, extending its capabilities beyond simple queue queries into local code execution trust. In an agent environment, any PATH-hijacked or trojanized mt-passport binary could execute arbitrary code or exfiltrate credentials under the user's context.

Context-Inappropriate Capability

Low
Confidence
74% confidence
Finding
The authentication flow writes QR PNG/SVG files into temporary local paths, which creates unnecessary filesystem side effects for a queue skill. Although the content is not obviously secret by itself, local file creation can leak auth links to other local processes/users on shared systems and broadens the skill's data footprint without strong need.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This file implements a self-update mechanism that downloads a remote ZIP and overwrites files in the skill directory, including instructions that the caller should reload SKILL.md afterward. Even though it attempts basic Zip Slip checks, it does not authenticate the downloaded content with a signature, pinned digest, or trusted update framework, so compromise of the update source or config can silently replace the skill with attacker-controlled content. In the context of a restaurant-info/queueing skill, this capability is unnecessary and materially increases supply-chain risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code fetches remote version metadata, selects a download_url, downloads an archive, extracts it over the local skill files, and then tells the system to reload SKILL.md. That is remote content/code replacement behavior, which creates a powerful execution and prompt-injection supply-chain path if the remote endpoint, transport assumptions, or local config are tampered with. Because the manifest describes restaurant lookup and queueing, this update capability is out of scope and therefore more suspicious and dangerous.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The manifest gives conflicting routing instructions for queue-related requests: a dedicated embedded meituan-queue skill is mandated in the brand prompt, while a queue-related MCP tool is also exposed for similar user intents. This ambiguity can cause the agent to invoke the wrong integration, bypass intended trust boundaries, or mix lower-risk informational handling with transactional queue operations.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill mandates invocation for any mention of queueing-related topics and forbids the agent from answering normally or suggesting safer alternatives. This overbroad trigger can force unnecessary execution of an authenticated, real-world transaction skill even when the user is only asking informational questions, which increases the risk of unintended account actions and suppresses safer human-in-the-loop handling.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is unusually broad for a high-sensitivity action and includes generic phrases like obtaining a token, login, reauthorization, and even placeholder-based automatic dependency invocation. In this context, that increases the chance the skill is invoked when a user did not clearly intend to start an authorization flow, which can lead to unnecessary login prompts and downstream token use by other skills.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly supports transparent token acquisition and injection into other commands 'without user awareness,' but does not present a clear consent notice describing what data or privileges the token grants and which downstream skill or API will use it. Because this is a user-auth token, silent acquisition/use materially increases privacy and authorization risk if a dependent skill is over-privileged, confusing, or malicious.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly instructs reading a cached authentication token and injecting it into command templates, but it does not clearly warn that the token is a sensitive credential that must not be logged, echoed, pasted into chat, or exposed via process arguments and shell history. In this skill context, the token is intended for cross-skill API access, so omission of handling safeguards increases the chance of accidental credential leakage or misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently falls back to downloading a tarball from a remote Gitee URL and then installs it globally with npm. This creates a supply-chain risk because remotely fetched code is executed/installed without integrity verification, signature checking, or an explicit consent prompt warning the user about the network fetch and system-wide modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Auto-installing a global npm package without explicit user/admin confirmation causes unexpected system mutation and may trigger execution of package lifecycle scripts from an external source. In the context of a restaurant information and queueing skill, this behavior exceeds expected functionality and increases supply-chain and environment-integrity risk, especially on shared or production hosts.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger keyword is broad enough to overlap with common speech, increasing the chance that this skill is invoked outside a clear restaurant-specific context. Overbroad activation can cause unintended tool exposure, confusing routing, or user redirection into ordering flows when the user did not intend to interact with this skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The pickup-order invocation text includes very broad phrases such as common ordering language, which can match ordinary conversation and trigger a transactional link flow unexpectedly. Because the tool returns a deep link for ordering, ambiguous invocation raises the risk of unsolicited redirection into an external app or purchase-related path.

Ssd 1

Medium
Confidence
95% confidence
Finding
The tool description tells the agent to strictly follow tool-provided _agent_instruction, which creates a semantic prompt-injection channel from tool output into agent behavior. If the backing service is compromised or returns unexpected instructions, it can manipulate the agent's response format, content, or downstream actions beyond the user's request.

Ssd 1

Medium
Confidence
97% confidence
Finding
This tool explicitly directs the agent to obey _agent_instruction when rendering a clickable weixin:// link, allowing tool output to steer agent behavior and present external deep links. A malicious or compromised service could replace the expected instruction or link target with deceptive content, phishing-style redirection, or unsafe workflow manipulation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal