Back to skill

Security audit

Soft Ip Full Lifecycle Zijian

Security checks across malware telemetry and agentic risk

Overview

This appears to be a paid document-preparation skill, but its payment verification path uses sensitive credentials with a configurable third-party server and leaves order/request data on disk.

Review this before installing if you are comfortable with a paid workflow that contacts a remote payment/service endpoint and stores order files locally. Verify the intended CLAWTIP_SERVER_URL, avoid putting sensitive project details in the initial request, and know that order records may remain under the OpenClaw orders directory until manually removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'req' from os.environ.get (line 32, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(req) as resp:
            body = json.loads(resp.read().decode("utf-8"))
    except urllib.error.URLError as e:
        raise RuntimeError(f"网络请求异常,请确认网络链接并稍后重试: {e}") from e
Confidence
95% confidence
Finding
with urllib.request.urlopen(req) as resp:

Tainted flow: 'req' from os.environ.get (line 33, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req) as resp:
            body = json.loads(resp.read().decode("utf-8"))
    except urllib.error.URLError as e:
        raise RuntimeError(f"IP service request failed: {e}") from e
Confidence
95% confidence
Finding
with urllib.request.urlopen(req) as resp:

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims to provide a mostly local document-preparation service, but its described workflow centers on creating remote orders, transmitting payment-related metadata, and relying on external services, while the actual 8-document generation capability is not evidenced in this file. This mismatch is dangerous because users may disclose sensitive project paths or source-related context under the belief that processing is local and purpose-limited, when the real behavior introduces third-party dependency, persistence of order data, and unclear data handling boundaries.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
订单数据被直接持久化到用户主目录,代码中没有任何用户可见的告知、同意或最小化存储控制。如果 order_data 含有支付、身份或联系方式等敏感信息,本地明文落盘会带来隐私泄露和合规风险,尤其在共享账户、备份同步或多用户主机场景中更危险。

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends a payment credential and order number to a remote service without any visible consent prompt or explicit disclosure at the point of transmission. In the context of a paid document-preparation skill, this is more dangerous because users may provide billing-related secrets expecting local verification, while the implementation silently shares them with a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.