ClawHub

Xyfcli Order Guide

Security checks across malware telemetry and agentic risk

Overview

This looks like a real fertilizer ordering helper, but it needs Review because it can use a stored order-system token to view customer data and change order/address records, with weak secret handling.

Install only if you trust the publisher and the target order system. Use a limited, revocable token; avoid commands that print config in JSON; keep transcripts private; verify customer, address, product, quantity, logistics, and receiver fields before confirming; do not reuse another customer's address unless your organization explicitly permits it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest description omits that the skill can add and edit customer shipping addresses, which are sensitive account changes rather than simple lookups. Undisclosed mutation capabilities increase the risk of unauthorized business-data modification and make operator approval less informed.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The manifest description omits that the skill can add and edit customer shipping addresses, which are sensitive account changes rather than simple lookups. Undisclosed mutation capabilities increase the risk of unauthorized business-data modification and make operator approval less informed.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The workflow contradicts itself by first allowing multiple transport and pickup options, then later stating those fields are fixed to single values during order generation. In transactional systems, such inconsistencies can cause the agent to submit orders with unintended shipping terms, creating integrity and business-process risk.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The evaluation checklist again conflicts with the order-generation notes, reinforcing ambiguity over whether transport/pickup are selectable or fixed. This increases the chance of unsafe automation behavior, where the agent may override user intent or place orders under incorrect logistics settings.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The command help/docstring says it will generate an order preview page and allow later modification, but the implementation directly calls the saveOrderDrafts backend endpoint and writes a draft into the system. This mismatch is security-relevant because operators or upstream agents may invoke the command under the false assumption that it is non-mutating, causing unauthorized or unintended business state changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is designed to retrieve and display customer names, phone numbers, addresses, balances, and related business information, but it provides no privacy notice, purpose limitation, or guidance on minimizing disclosure. In a sales/order context this is particularly dangerous because the data is operationally sensitive and could be exposed to the wrong requester through normal-looking queries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file documents `XYFCLI_SESSION` as an authentication cookie but provides no handling guidance, which can encourage users or downstream agents to expose the token in shell history, logs, screenshots, or debug output. In a skill that performs authenticated customer, supplier, and ordering operations, theft of this session could enable unauthorized data access or order actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide says uploaded images are automatically parsed and used in the order workflow, but it does not tell users what image contents may be collected, retained, or used to drive subsequent actions. In this business context, product photos, labels, barcodes, and screenshots can contain sensitive commercial, customer, or supplier data, so silent processing increases privacy and unintended-disclosure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented flow turns OCR/barcode output from user-supplied images directly into xyfcli search parameters, which means untrusted image content influences downstream system behavior. Even if the immediate action is 'search', this can trigger unintended lookups, expose internal catalog or partner data, and normalize unsafe automation that may later be extended to ordering actions without sufficient validation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow instructs the system to extract and present customer names, addresses, and phone numbers from order artifacts without any privacy notice, minimization guidance, or confirmation boundary. This exposes personal data during parsing and display, increasing the risk of unnecessary disclosure to users, logs, or downstream systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The order-creation flow transmits customer identity, address, and phone data and then generates a follow-up page URL, but provides no warning about storage, sharing, retention, or who can access that page. In a transactional environment handling real customer orders, this raises meaningful privacy and confidentiality risk, especially if URLs are shareable or persisted.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The module persists configuration directly to a predictable file under the user's home directory, and that configuration schema includes an authorization token. While this code does not itself exfiltrate credentials, storing bearer tokens in plaintext local files increases exposure to other local users, malware, backups, or accidental disclosure, especially because there is no permission hardening or user warning about sensitive credential storage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The init command prints the authorization token back to the terminal, and for tokens of length 20 or less it prints the full secret. Even when truncated for longer tokens, exposing any credential material in console output increases the risk of shoulder surfing, terminal scrollback leakage, shell logging, CI log exposure, or capture by calling agents that collect stdout.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The add-address command collects and immediately transmits personal/contact data such as name, phone number, and detailed address to a remote API without any explicit confirmation, consent notice, or safety interlock. In an agent setting, this can cause unintended disclosure or modification of sensitive customer PII if the model infers parameters incorrectly or is prompt-injected into performing the action.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The edit-address command performs a remote update of existing customer address records using sensitive personal data, again with no confirmation or human-in-the-loop safeguard. Because this is a state-changing operation affecting customer records, accidental invocation, parameter confusion, or adversarial prompting could overwrite valid addresses or expose PII to external services.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow explicitly offers using another customer's saved address to place an order, which can expose one customer's address data to another transaction context and enables misdelivery, privacy violations, and account misuse. In an order-management skill handling real customer records, cross-account address reuse is especially dangerous because it normalizes unauthorized data sharing and business-action tampering.

Ssd 3

Medium
Confidence
90% confidence
Finding
The instruction to 'record interactions for troubleshooting' is broad and, in this workflow, would likely capture product orders, customer names, addresses, phone numbers, and image-derived data. Without explicit redaction and retention controls, this creates unnecessary accumulation of sensitive business and personal data.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal