ClawHub

Amazon Listing Factory

Security checks across malware telemetry and agentic risk

Overview

The skill can generate Amazon listing drafts, but it also has under-disclosed external image generation, Feishu routing, tmux session inspection, and local logging that users should review before installing.

Install only if you trust the publisher and want API-backed listing and image generation. Use dedicated low-privilege API keys, review COZE_API_URL and LISTING_BASE_URL before running, avoid sensitive product data unless third-party processing is acceptable, and consider disabling or auditing tmux recipient detection, Feishu sending, debug route output, and runtime.log retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def detect_runtime_receive_target_from_tmux():
    try:
        proc = subprocess.run(
            ["tmux", "capture-pane", "-pt", "openclaw", "-S", "-300"],
            capture_output=True,
            text=True,
Confidence
86% confidence
Finding
proc = subprocess.run( ["tmux", "capture-pane", "-pt", "openclaw", "-S", "-300"], capture_output=True, text=True, timeout=10, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]

    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=180)
    except Exception as e:
        return {"ok": False, "error": "调用飞书发送脚本异常", "details": str(e)}
Confidence
72% confidence
Finding
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=180)

Tainted flow: 'req' from os.environ.get (line 370, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}
    )

    with urllib.request.urlopen(req, timeout=120) as resp:
        return json.loads(resp.read().decode("utf-8"))
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=120) as resp:

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This module does more than generate listing assets: it automatically sends generated images to Feishu recipients, including auto-detected targets. That hidden messaging behavior is materially outside the stated skill purpose and can leak generated content, prompts, and workflow results to third parties without clear user intent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code harvests recipient identifiers from numerous environment variables and even parses tmux pane output to infer who should receive images. For a listing-draft skill, this hidden recipient discovery is unjustified and dangerous because it enables covert routing of outputs using ambient system and chat metadata.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The debug snapshot exposes messaging configuration and runtime routing context unrelated to the skill's declared purpose. Even though it avoids printing raw secrets, revealing whether sensitive integrations are configured and which recipient is active aids reconnaissance and can leak operational metadata.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The script sources a local .env file directly into the shell, which does more than load key-value configuration: any shell syntax in that file will be executed. In the context of a content-generation skill, this creates an unnecessary code-execution and secret-loading surface if the .env file is modified by another local process, a malicious package, or a user following unsafe setup instructions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill description frames the tool as a listing-draft generator, but the code also triggers automatic image generation through a separate subprocessed skill. This hidden capability changes the data-flow and trust boundary: user prompts, reference image URLs, and service credentials may be sent into another component without clear disclosure or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runtime log stores raw user input, prompts, labels, recipient identifiers, chat metadata, and generated image URLs in a local file without any evident retention controls or user disclosure. This creates a persistent sensitive-data trail that could later be accessed by other users, processes, or backups.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends prompts and reference image data to an external Coze API, but the code shows no user-facing notice or consent mechanism for this transfer. In a content-generation context, prompts and reference images may contain proprietary product information or personal data, so undisclosed transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The module silently auto-detects recipient identifiers from environment variables and tmux output, then uses them for message delivery. This is dangerous because users may believe they are only generating content locally while the skill derives and uses hidden routing data from the runtime environment.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The code silently creates a .env file in the skill directory with credential placeholders when one does not exist. Auto-creating secret-bearing configuration files without an up-front warning can mislead users about persistence and storage location of sensitive tokens, increasing the chance of accidental exposure or unsafe handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Raw user input and parsed product data are transmitted to an external LLM API, yet this file provides no explicit consent, privacy notice, or data-sharing disclosure before doing so. For a listing tool, prompts may contain unreleased product details, marketing plans, or internal image URLs, so undisclosed transmission increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Reference image URLs, prompts, and a service key are forwarded to a subprocessed image skill without explicit user-facing disclosure in this file. This broadens data exposure to another component and possibly another external service, which is especially sensitive because image URLs may be private or pre-release assets.

Ssd 3

Medium
Confidence
91% confidence
Finding
Debug output includes operational details such as default receive IDs, receive ID types, and runtime target information in plain language. This can leak internal routing state and make social engineering or unauthorized message targeting easier for anyone who can invoke debug behavior.

Ssd 3

Medium
Confidence
93% confidence
Finding
Natural-language commands like route probing reveal the current receive_id, type, and chat metadata to the requester. That creates an information-disclosure primitive that can expose who the system is currently prepared to message and how, which is unnecessary for listing generation.

Credential Access

High
Category
Privilege Escalation
Content
SKILL_DIR="$(cd "$(dirname "$0")" && pwd)"
INPUT="${1:-}"

if [ -f "$SKILL_DIR/.env" ]; then
  set -a
  # shellcheck disable=SC1091
  source "$SKILL_DIR/.env"
Confidence
86% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
if [ -f "$SKILL_DIR/.env" ]; then
  set -a
  # shellcheck disable=SC1091
  source "$SKILL_DIR/.env"
  set +a
fi
Confidence
86% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal