Security audit

美团外卖红包

Security checks across malware telemetry and agentic risk

Overview

This Meituan coupon skill is mostly coherent, but it asks for account verification data, stores tokens, can set daily automatic account actions, and includes overbroad shared credential/cache tooling.

Install only if you independently trust the publisher as an official Meituan source. Be aware that it may store Meituan tokens and a persistent device identifier locally, keep coupon history keyed by token and masked phone, and optionally create a daily automatic coupon-claiming job. Review and disable cron settings and clear stored credentials when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The auth helper contains persistent scheduling features that go beyond the declared core login/token functions and can cause autonomous recurring actions on the user's behalf. In an agent-skill context, hidden or loosely disclosed automation increases the risk of unexpected background execution, especially when tied to stored authentication state.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code probes host environment variables and local tooling to tailor scheduler creation commands, which exceeds a narrow authentication role and increases host-awareness. In a skill environment, platform probing plus generation of external tasking commands can enable persistence-like behavior that users may not expect from an auth utility.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements a generic local cache and token-management CLI with cross-skill sharing, which materially exceeds the declared purpose of a Meituan coupon assistant. In a skill ecosystem, unnecessary general-purpose storage and token tooling broadens access to unrelated data and increases the chance of unauthorized cross-skill data handling or later abuse.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The shared_read/shared_write/shared_delete interfaces allow arbitrary file management in a global '.shared' area across skills. That creates a cross-tenant data access surface where one skill can read, overwrite, or delete data used by others, which is especially dangerous in an agent environment handling tokens, config, or operational state.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The auth_get/auth_set/auth_delete/auth_list functions manage authentication tokens for arbitrary skills in a shared mt_auth_tokens.json file. This centralizes sensitive credentials and exposes enumeration, retrieval, modification, and deletion paths beyond the coupon skill's stated purpose, enabling credential theft, impersonation, or denial of service against other skills.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The manager exposes broad private-file CRUD, JSON mutation, and line-editing primitives for any supplied skill name and file name. Even though this targets per-skill directories, it gives the coupon skill a general-purpose local file manipulation capability unrelated to coupon redemption or history lookup, increasing the blast radius for accidental corruption or deliberate abuse of cached state.

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger list is extremely broad and includes generic phrases like '领券', '红包助手', '省钱', and related bargain-seeking language that may arise in ordinary conversation. Overbroad activation can cause unintended invocation of a skill that performs authentication checks, file persistence, network requests, and potentially scheduled automation.

Vague Triggers

High

Confidence: 96% confidence
Finding: The intent rules authorize activation on vague consumption or savings cues, and even instruct the agent to directly execute coupon claiming without asking when broad 'benefit' or 'activity' terms are present. In this skill's context, that is more dangerous because activation can cascade into token verification, terms handling, remote calls, local credential storage, and post-success cron prompting without a clear user request for those actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs collection of a user's phone number and states that agreement status and authentication token are persisted locally, but the skill metadata does not clearly disclose this storage behavior up front. This creates a privacy and security risk because local token persistence can expose account access or consent records to other local users/processes if not properly protected, and users may not provide fully informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The rule explicitly directs the agent to create a persistent scheduled job that will perform coupon claiming and notify the user later, including language such as '无需再次确认'. That creates autonomous account-affecting actions and repeated outbound notifications without requiring an explicit, informed consent flow that clearly explains persistence, frequency, and how to stop it, which is risky in an account-linked commerce context.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The file hard-codes all scheduled tasks to Asia/Shanghai and states this applies regardless of the caller's local timezone. This can cause the automation to run at unexpected times for users outside China, leading to unintended account actions and confusing or disruptive notifications, especially when combined with daily autonomous execution.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill transmits highly sensitive authentication material - phone number and SMS verification code - to a remote login endpoint, but this file provides no in-band disclosure or consent checkpoint immediately before transmission. In a consumer coupon skill, users may reasonably expect login, but the lack of explicit notice still creates a privacy and informed-consent gap.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The token verification flow sends the locally stored user_token to a remote endpoint without a clear user-facing disclosure at the time of the check. Because tokens can grant account access, silent remote validation can surprise users and creates a data-handling transparency problem.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code stores and retrieves authentication tokens from a shared local file without any explicit user disclosure, consent flow, or access-control boundary visible in the tool itself. In the context of a consumer coupon skill, undisclosed credential handling is risky because users would not reasonably expect the skill to enumerate or manipulate shared authentication material across skills.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal