meituan-coupon-order-assistant

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill matches a Meituan coupon and ordering assistant on the surface, but it also includes under-disclosed host modification, credential handling, environment fingerprinting, and a detached self-updating CLIGuard daemon.

Install only if you are comfortable giving this skill access to your Meituan login flow, location, coupon/account actions, and ordering capability. Review the hidden operational behavior carefully: it can modify the local environment, persist identifiers and location authorization, pass tokens via command arguments, and run an obfuscated CLIGuard component that self-updates in the background.

SkillSpector (80)

By NVIDIA

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 清除 pt-passport CLI 本地缓存的 Token cli_cleared = False try: result = subprocess.run( ["pt-passport", "logout", "--client_id", "578aafab312b44f1b76b0529b06bb0c6"], capture_output=True, text=True, timeout=10 )
Confidence: 70% confidence
Finding: result = subprocess.run( ["pt-passport", "logout", "--client_id", "578aafab312b44f1b76b0529b06bb0c6"], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 同时清除 pt-passport CLI 缓存 try: subprocess.run( ["pt-passport", "logout", "--client_id", "578aafab312b44f1b76b0529b06bb0c6"], capture_output=True, text=True, timeout=10 )
Confidence: 70% confidence
Finding: subprocess.run( ["pt-passport", "logout", "--client_id", "578aafab312b44f1b76b0529b06bb0c6"], capture_output=True, text=True, timeout=10 )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 70% confidence
Finding: Without declared permissions the skill's intent is opaque and cannot be validated.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The top-level description in L003 centers on dining, restaurants, drinks, group-buy vouchers, and nearby food/drink discovery. However, L018 expands the intended usage to many non-food shopping categories, which materially broadens the skill's claimed purpose beyond the manifest's stated food-ordering/coupon-assistant role.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The manifest and earlier usage text describe helping with restaurants, beverages, supermarket goods, and other shopping scenarios, and imply direct ordering in-chat. But L160-L170 explicitly limits supported ordering/search to '到店餐饮' and excludes other major scenarios by redirecting users elsewhere, creating a clear description-versus-actual-behavior mismatch.

Description-Behavior Mismatch

Low

Confidence: 92% confidence
Finding: The manifest describes a Meituan discount ordering assistant centered on dining, beverages, nearby food discovery, coupon claiming, and direct ordering. This document, however, states the service covers additional business lines such as 闪购、丽人运动休闲、医药, which materially broadens the represented capability beyond the manifest’s stated scope.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The manifest says the skill can claim coupons, recommend promotional venues, search products, and place orders in-chat. This file additionally says users can set push reminders to receive daily promotional notifications, which is a distinct ongoing messaging capability not clearly declared in the manifest.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The manifest describes a conversational assistant for searching deals, claiming coupons, and placing Meituan orders. In this file, logout delegates to an external `pt-passport` executable via `subprocess.run`, which is a broader host-execution capability than the manifest suggests and is not mentioned in the stated scope.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The manifest focuses on coupon claiming, product search, recommendations, and ordering in-dialog. `cmd_clear_device_token` not only clears local device state but also invokes an external `pt-passport` logout subprocess, adding host-level command execution unrelated to the manifest's explicit user-facing purpose.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The manifest describes a consumer-facing Meituan assistant for finding deals, claiming coupons, and placing orders in-chat. In addition to those business actions, the code performs environment bootstrapping and package installation, including global installation of pt-passport and local installation of qrcode, which is an operational capability outside the stated assistant purpose.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Generating a QR code for authentication can be consistent with login flow, but this implementation goes further by altering the host environment to fetch and install the qrcode package, even falling back to global installation. That host-modifying capability is not justified by the manifest's description of an ordering and coupon assistant.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest describes an in-conversation Meituan shopping and coupon assistant, but this file is an obfuscated CLI guard wrapper that periodically checks a remote update URL, downloads signed files, writes them into an update directory, and restarts itself as a detached daemon. Auto-updating executable code and process management are not an obvious implementation detail of helping users find restaurants, claim coupons, or place orders.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The file imports child_process and uses spawn to relaunch itself in detached mode, writes PID/lock files, checks/kills processes, and runs a periodic worker loop. A consumer-facing ordering assistant does not inherently need hidden long-lived background process control to fulfill its described task.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The wrapper fetches version metadata from a remote update URL over HTTP(S), verifies signatures, downloads file payloads, and installs them locally. While network access may be expected for restaurant search or ordering, a generic code-update channel for the wrapper itself is a separate capability not justified by the manifest’s user-facing purpose.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The file gathers extensive system characteristics such as OS details, hostname, timezone, locale, directory counts, install times, and computes persistent identifiers via functions like getFingerprint/getId. A manifest describing a 美团优惠下单助手 justifies search/order/coupon flows, but not covert environment fingerprinting of the runtime host.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The module imports child_process.execSync and uses it to run platform-specific commands for host interrogation, such as reading OS metadata and filesystem timestamps. Spawning shell commands to probe the machine exceeds what is obviously necessary for helping users find deals, claim coupons, display products, or place orders.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This file is dominated by obfuscated request-signing, fingerprint generation, persistent ID management, and environment interrogation code, not user-facing restaurant/product discovery or ordering behavior. While request signing can sometimes be an implementation detail, the breadth of anti-analysis and device-identification logic materially exceeds the manifest’s plain description of an in-conversation shopping assistant.

Vague Triggers

High

Confidence: 98% confidence
Finding: L018 将“想吃饭”“找餐厅”“帮我订餐”“手机”“水果”等大量泛化词汇都定义为触发场景，还明确说明对“随便吃点什么”“帮我领个券”等模糊表达也会触发。这些短语与普通对话高度重叠，且缺少明确的边界或排除条件，容易在非目标场景下意外调用该技能。

Vague Triggers

High

Confidence: 95% confidence
Finding: L003 的 description 使用“当你想吃饭、找餐厅、买团购券……只需告诉我想吃什么喝什么或在哪附近找”这类广泛自然语言来定义调用范围，并涵盖“薅羊毛”“美团省钱”等常见口语表达。该描述没有说明触发边界、上下文限制或排除条件，属于容易与日常表达冲突的宽泛触发描述。

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: L150 说明在搜索前会“自动领券”，而全文还包含本地写入 `.state.json`、长期记忆写入位置授权、以及后续下单流程等高影响行为，但开头用途说明未集中向用户明确告知这些自动操作及其持久化影响。对于会影响账户状态、隐私偏好和本地状态的行为，技能描述应有更清晰的前置警示。

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: L024-L029 明确要求“全程用自然、友好的口语和用户沟通”，并给出固定中文话术示例，整体文档未提供用户语言偏好选择或多语言选项。这会造成默认强制使用特定语言/locale 的行为，不符合应允许用户选择语言的自然语言政策要求。

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The text instructs users to use the service only on '安全的 AI 智能体平台应用中使用中国大陆已备案的安全大模型', which imposes a specific locale/regulatory constraint in natural language. Because this file does not offer user opt-in or clearly explain that the skill is strictly region-specific for compliance reasons, it may violate the language/locale policy criteria.

Natural-Language Policy Violations

Low

Confidence: 92% confidence
Finding: This Python file contains natural-language documentation and CLI help text exclusively in Chinese, including usage instructions and operational descriptions. Under the stated policy, forcing a specific language without user opt-in is a natural-language policy violation unless the locale restriction is explicitly documented and justified, which is not present here.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This Python code transmits the user-provided address to an external service via a POST request. While the CLI argument indicates the script accepts an address, there is no explicit user-facing warning, confirmation, or privacy disclosure in the code that this potentially sensitive location data will be sent to a remote Meituan endpoint.

Natural-Language Policy Violations

Low

Confidence: 81% confidence
Finding: The natural-language documentation and command help are written only in Chinese, which can impose a specific language on users without opt-in. The file does not provide an alternative language or indicate that the locale restriction is intentional and justified.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Secret argv exposure

Critical

Finding: Instructions pass high-value credentials through process argv.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal