Back to skill

Security audit

官方美团红包助手

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform Meituan coupon tasks, but it also handles account tokens, persistent automation, and background update code in ways users should review carefully before installing.

Install only if you trust this publisher and are comfortable granting Meituan login-token handling, local/shared credential storage, optional cross-session token memory, a background Node signing/update component, and daily scheduled account actions. Prefer the --auto flow, avoid agent-memory token storage unless you explicitly want it, review or disable cron jobs, and clear both login and device tokens when you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (110)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env.setdefault("SKILL_CACHE_WORKSPACE", _get_workspace())

    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)
        stdout = result.stdout.strip() if result.stdout else ""

        # raw_output 模式:直接返回原始内容
Confidence
70% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 默认检测 openclaw 命令是否存在
    try:
        result = subprocess.run(
            ["which", "openclaw"],
            capture_output=True,
            timeout=2
Confidence
70% confidence
Finding
result = subprocess.run( ["which", "openclaw"], capture_output=True, timeout=2 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env.setdefault("SKILL_CACHE_WORKSPACE", _get_workspace())

    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)
        stdout = result.stdout.strip() if result.stdout else ""

        if raw_output:
Confidence
70% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if is_windows:
        DETACHED_PROCESS = 0x00000008
        CREATE_NEW_PROCESS_GROUP = 0x00000200
        subprocess.Popen(
            ['node', _CLIGUARD_WRAPPER_PATH, '--start'],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
70% confidence
Finding
subprocess.Popen( ['node', _CLIGUARD_WRAPPER_PATH, '--start'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNULL,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env=env,
        )
    else:
        subprocess.Popen(
            ['node', _CLIGUARD_WRAPPER_PATH, '--start'],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
70% confidence
Finding
subprocess.Popen( ['node', _CLIGUARD_WRAPPER_PATH, '--start'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNULL,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"const r=addCommonParams(" + json.dumps(url_str) + ");"
            "console.log(r.url)"
        )
        result = subprocess.check_output(['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE)
        injected = result.decode('utf-8').strip()
        return injected if injected else url_str
    except Exception as e:
Confidence
70% confidence
Finding
result = subprocess.check_output(['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"const {{signRequest}}=require({json.dumps(_CLIGUARD_PATH)});"
            f"console.log(JSON.stringify(signRequest({json.dumps(method.upper())},{json.dumps(url_str)},{json.dumps(body_hash)})))"
        )
        result = subprocess.check_output(
            ['node', '-e', js_code],
            timeout=5,
            stderr=subprocess.PIPE,
Confidence
70% confidence
Finding
result = subprocess.check_output( ['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"const {{signRequest}}=require({json.dumps(_CLIGUARD_PATH)});"
            f"console.log(JSON.stringify(signRequest({json.dumps(method.upper())},{json.dumps(url_str)},{json.dumps(body_hash)})))"
        )
        result = subprocess.check_output(
            ['node', '-e', js_code],
            timeout=5,
            stderr=subprocess.PIPE,
Confidence
70% confidence
Finding
result = subprocess.check_output( ['node', '-e', js_code], timeout=5, stderr=subprocess.PIPE, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a mismatch because the code does more than the description states. The described functionality covers claiming coupons, querying claim history, and built-in authentication. However, the implementation also includes a substantial automatic scheduling feature for daily coupon claiming, including cron-state persistence and platform-specific scheduling instructions, which is not mentioned in the declared purpose. It also includes token restoration from agent memory, device-token clearing, generalized local/shared cache management, and version-check/update guidance. These are not merely internal implementation details of coupon claiming/querying; at least the cron automation is a user-facing capability outside the declared description. The core claimed functions are present, but hidden extra capabilities make the description incomplete.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The manifest describes an official coupon assistant with built-in account authentication, but this section adds a separate capability: instructing the host agent to write the user's authentication token into platform memory files or KV storage for reuse across sandboxes. That persistence into agent-level memory is not an obvious or necessary part of the stated coupon领取/查询 purpose, and it broadens where sensitive credentials may reside.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
Critical Rules state that sensitive data such as user_token may only be written to local files, and the data storage section says these files remain only on the user's device. However, the token-memory fallback explicitly tells the agent to write user_token into memory files or KV storage that may be platform-managed and cross-session, contradicting the earlier local-only storage claim.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest describes an official Meituan coupon assistant focused on one-click coupon claiming, claim-history queries, and account authentication. This file requires the agent to offer and configure recurring automatic coupon claims after a successful claim, which is a materially broader behavior than the stated on-demand coupon and record-query scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file directs the agent to create durable scheduled jobs via platform-specific mechanisms such as CronCreate, RemoteTrigger, and openclaw cron commands. Building persistent background automations across host platforms is not an obvious or declared requirement of a coupon领取/history查询 skill, and introduces an orchestration capability beyond its stated business purpose.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The file tells the agent to extract or obtain platform-specific identifiers such as chat_id, sender_id, or a manual UID in order to target scheduled jobs. Handling messaging-platform routing identifiers is not mentioned in the manifest and is not necessary for basic coupon claiming or claim-history lookup.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest describes this skill as providing one-click coupon claiming, claim-history lookup, and built-in account authentication. In this file, the auth module also manages daily automatic coupon scheduling, detects execution platforms, and emits platform-specific cron/remote-trigger instructions to create recurring tasks, which is a materially broader behavior than the stated scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This file is documented as an embedded authentication module managing SMS login, user_token, and device_token, but it also probes host platform characteristics and constructs actionable scheduling commands such as openclaw cron add and RemoteTrigger/CronCreate configs. Platform detection and recurring task orchestration are not justified by the module’s stated authentication purpose in its own documentation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The manifest describes a coupon领取与历史查询助手, but this module allows behavior to be redirected via SKILL_CACHE_CLI_PATH and SKILL_CACHE_PYTHON, and also later uses those values to invoke a subprocess. Allowing environment-controlled executable/script selection is not an obvious or necessary part of claiming or querying Meituan coupons, and introduces a general code-execution capability unrelated to the stated user-facing purpose.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The documented purpose is coupon领取 and 历史记录查询, but _cli_call invokes an external Python process through subprocess.run. While persistence is reasonable, arbitrary subprocess launching is a much broader capability than the manifest suggests and is not justified in the description itself.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes an official Meituan coupon assistant focused on claiming coupons, querying coupon claim history, and handling Meituan account authentication. This file instead implements a reusable workspace-wide cache manager and CLI for arbitrary read/write/delete/list operations, JSON mutation, line editing, cache cleaning, and workspace discovery, which is substantially broader than the stated coupon-assistant purpose.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The shared_read/shared_write/shared_delete/shared_list APIs and corresponding CLI commands manage arbitrary files in a global .shared area across skills. A coupon assistant may reasonably persist its own authentication state, but arbitrary cross-skill shared file administration is a separate platform capability not justified by the manifest's user-facing purpose.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
Most manager methods accept any skill_name and then perform CRUD, listing, JSON mutation, line editing, cleanup, and info collection under that skill's directory. For a manifest that only promises Meituan coupon receipt and coupon-history lookup, this is an unjustified capability to operate on other skills' local data rather than just this skill's own state.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest describes an official Meituan coupon assistant focused on claiming coupons, checking redemption history, and account-authenticated use. This file auto-patches requests/httpx/urllib on import and starts a detached Node.js daemon at module load, affecting all outbound HTTP traffic in the process rather than only coupon-related operations.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The manifest does not mention self-updating code or loading alternate runtime logic from ~/.cliguard/cliguard-updates. The resolver explicitly prefers newer 'cloud-update' JavaScript modules and the wrapper is documented as handling update logic, which is a software-update capability unrelated to coupon claiming or record lookup.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The manifest presents a transactional assistant for coupon redemption and record queries, not a long-lived background service. This code launches a detached daemon process via subprocess.Popen during initialization, creating persistent execution beyond a single coupon operation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.secret_argv_exposure

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:244