ClawHub

My Coffee

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Luckin Coffee ordering helper, but it can handle real orders, payment links, location lookup, and account tokens.

Install only if you are comfortable letting this skill use a Luckin MCP token to create, query, and cancel pickup orders. Prefer platform-managed secrets or environment variables over pasting tokens into chat, decline local token saving unless you want reuse, and provide your store or location manually if you do not want IP-based approximate location lookup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill expands beyond coffee ordering by instructing the agent to source, persist, and delete authentication tokens from environment variables, chat history, and local files. This creates unnecessary credential-handling and local file access behavior that increases the blast radius if the agent is compromised or mis-triggered, especially because the token grants access to ordering/payment operations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill directs the agent to bypass the declared MCP integration and invoke the backend directly with shell-based curl. That broadens execution from scoped tool use to arbitrary network command execution, increasing the chance of token leakage, command misuse, and unmonitored exfiltration of payment-order data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill authorizes IP-based geolocation through a third-party service, causing user/network metadata to be sent externally without being essential to the core ordering workflow. Even if only coarse location is returned, it still discloses approximate user location and network characteristics to an external party outside the declared Luckin MCP flow.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger keywords are broad enough to match generic beverage, tea, coffee, or store-related conversation, which can cause the skill to activate outside clear Luckin-ordering intent. In this skill, accidental invocation is more dangerous than usual because activation may lead to credential handling, location lookup, and order/payment actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Example trigger phrases such as '买一杯咖啡' are overly generic and may cause the skill to engage for ordinary coffee chat rather than explicit Luckin transactions. Because the skill can proceed into store lookup and payment flows, loose triggers raise the risk of unintended data processing and real-world ordering actions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal