ClawHub

美团红包助手

Security checks across malware telemetry and agentic risk

Overview

The coupon features fit the stated purpose, but the skill quietly persists reusable login tokens and includes broad shared-cache and recurring automation capabilities users should review first.

Install only if you trust the publisher and are comfortable with Meituan SMS login, reusable token storage, shared local cache use, and optional daily automatic coupon claiming. Prefer an isolated workspace, avoid enabling auto-claim unless you want ongoing account actions, and clear stored auth/device data when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill instructs the agent to persist a live Meituan user_token into cross-session agent memory or KV storage. That broadens credential exposure beyond the local skill boundary into generic agent persistence layers, where access controls, retention, auditability, and redaction may be weaker or shared across tools.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The document first forbids uploading sensitive values like user_token to third parties and says they may only be written locally, then later directs the agent to persist user_token in agent memory/KV. This contradiction can cause confidential bearer credentials to be copied into external persistence systems, creating a direct credential leakage and account-compromise risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file expands the skill from on-demand coupon claiming into persistent scheduled automation that repeatedly acts on the user's account and sends notifications. That is a real scope expansion relative to the stated manifest behavior, and it increases security and consent risk because the agent is instructed to continue operating without fresh user confirmation after setup.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The instructions direct extraction and use of platform-specific user identifiers from context to create scheduled jobs, but the user-facing description does not clearly justify this data use or explain the privacy implications. This creates unnecessary identifier handling and cross-system linkage risk, especially if IDs are logged, reused, or exposed in commands and error messages.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file is presented as an authentication helper, but it also persists scheduling preferences and configures automatic coupon-claim workflows. This expands the skill's operational scope beyond authentication into ongoing autonomous actions, increasing the chance of user surprise, misuse, or unauthorized persistence in an auth-sensitive component.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code generates cross-platform scheduling and remote-trigger instructions, including commands that can message a user and create durable recurring jobs. In an authentication module, this is unnecessary privilege expansion and creates a pathway for unattended actions on external platforms if invoked by an agent without strong user confirmation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code allows both the Python interpreter path and the CLI script path to be overridden via environment variables, then executes them in a subprocess. In any environment where an attacker or untrusted wrapper can influence these variables, this becomes arbitrary code execution under the skill's privileges, which exceeds the stated coupon and history-query functionality.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This file implements a generic local cache and workspace management CLI with cross-skill shared storage and token handling, which is materially broader than the advertised coupon-claiming and history-query use case. In the context of a coupon assistant, this unnecessary capability expansion increases the attack surface and enables persistence and data access patterns unrelated to the skill’s stated function.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The shared_read/shared_write/shared_delete functions allow arbitrary manipulation of files in a cross-skill shared namespace, with no authorization checks, allowlist, or purpose limitation. A coupon skill should not have broad access to shared files because this can be abused to read or tamper with data used by other skills, including configuration or sensitive shared state.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The auth_get/auth_set/auth_delete/auth_list logic manages authentication tokens for arbitrary skills in a single shared mt_auth_tokens.json store and exposes retrieval by skill name and key. Centralized token access without access control is dangerous because any code path with CLI access can enumerate, read, modify, or delete credentials for unrelated skills, enabling account compromise or lateral movement.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI exposes generic file, JSON, line-editing, listing, and cleanup primitives for any provided skill namespace, far beyond coupon redemption workflows. Even if intended as an internal utility, these capabilities enable unauthorized mutation of other skills’ cached data, configuration, and logs if invoked by an attacker or misused by the agent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The flow explicitly states that agreement status is persisted locally in a token file and the surrounding authentication flow handles phone numbers and user tokens, but it does not clearly warn the user about local storage, retention, or protection of that sensitive state. On a shared or poorly secured device, local persistence of consent state and authentication material can expose account access metadata or enable unauthorized reuse if the token file is accessed by another local user or process.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the system to automatically claim coupons at scheduled times and act on the user's authenticated account without repeated confirmation, yet the surrounding description does not prominently warn users about ongoing autonomous account actions. This is dangerous because repeated unattended actions can surprise users, create unwanted account activity, and normalize silent use of stored authentication state.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The instructions tell the agent to extract sender or chat identifiers from conversation context and insert them into scheduling commands without an explicit user-facing privacy warning. This is a real privacy and transparency issue because users are not clearly informed that conversational metadata will be repurposed to create external scheduled jobs tied to their identity.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
Forcing all scheduled-task times to Asia/Shanghai regardless of caller locale can cause the automation to run at times the user did not intend. In a skill that performs autonomous account actions, timezone confusion materially increases the chance of surprise execution and undermines informed consent even if the direct security impact is limited.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "领券" is overly broad and can match ordinary conversation without clear Meituan-specific context, causing unintended invocation of this skill. In a coupon-claiming skill tied to an authenticated account, accidental triggers can lead to unwanted actions such as issuing coupons or exposing redemption history to the wrong conversational context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The restore-from-memory command prints token material to stdout, including a partially revealed user token and full device token. In agent platforms, stdout is often logged, surfaced to orchestrators, or retained in transcripts, so this can expose long-lived authentication secrets beyond their intended storage boundary.

Ssd 3

High
Confidence
95% confidence
Finding
Persisting and restoring tokens through natural-language memory files or generic KV stores creates durable retention and leakage paths outside the skill's local security model. Such stores are often readable by other agent features, logs, debugging tools, or future sessions, increasing the chance of credential exposure and unauthorized account use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal