ClawHub

美团外卖

Security checks across malware telemetry and agentic risk

Overview

This coupon skill appears to do what it claims, but it stores and exposes reusable Meituan account tokens in ways users should review carefully before installing.

Install only if you trust this publisher with a persistent Meituan login session. Be aware that login tokens may be shared with another Meituan auth skill and printed in agent command output; use the provided environment variables to isolate token/history files, and run clear-device-token or delete the local files when you no longer want the session retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code intentionally uses a shared AUTH_KEY so tokens are reusable across two different skills. Cross-skill token sharing breaks least-privilege boundaries: installing or authenticating one skill implicitly grants another skill access to the same account session, increasing the blast radius if either skill is compromised or behaves unexpectedly.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code expressly states that login in one skill should be reused by another, creating a credential-sharing channel not justified by the coupon tool's narrow business purpose. In this context, the skill handles real user account access, so silently broadening token reuse materially increases the risk of unauthorized actions, account abuse, and hidden data access across skills.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list contains broad phrases such as general coupon or discount-related requests that can match ordinary conversation and cause unintended invocation. Because this skill can initiate login flows, send SMS, access tokens, and make external requests, accidental triggering can lead to unnecessary exposure of personal data or confusing side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The module stores user_token and device_token on disk and also prints sensitive values such as user_token in command outputs like status, token-verify, and verify. Even with 0600 permissions where supported, exposing tokens in stdout and local files can leak credentials through logs, agent transcripts, shell history capture, or other local integrations, enabling session hijacking.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal