meituan-union-coupon-skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This coupon skill needs Review because it handles phone/SMS login and stored account tokens while disabling HTTPS checks in key auth calls and adding diagnostics, updates, and reminders beyond the simple coupon pitch.

Review carefully before installing. This skill may ask for your Meituan phone number and SMS code, store login tokens and a device identifier locally, contact Meituan endpoints, keep local diagnostic logs, and create recurring reminders. Avoid using it until HTTPS certificate verification is fixed and raw-token diagnostics are removed or tightly gated; only use it if you trust the publisher and understand how to clear both login and device state.

SkillSpector (20)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill invokes shell commands, reads and writes local files, accesses environment variables, and makes network requests, yet no permissions are declared to signal those capabilities. This undermines informed consent and review because users and platforms cannot easily assess that the skill handles authentication state, local tokens, scheduled reminders, and remote endpoints.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The public description frames the skill as coupon retrieval and reminders, but the implementation also performs SMS-based account login, token validation, local credential storage, device-state management, and diagnostic handling of auth logs. That mismatch is dangerous because users may disclose phone numbers and verification codes without realizing the skill is acting as an authentication broker and persisting sensitive local state.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill includes self-update discovery and can invoke external tooling to pull or update the skill from remote services, which goes beyond coupon and reminder functionality. Any skill that can change its own code path increases supply-chain risk, especially when updates are triggered from remote version checks and platform-specific command execution.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Doctor mode instructs the agent to read and execute an external diagnostic playbook that is not described in the core skill purpose. Hidden or loosely scoped auxiliary execution paths are risky because they can expand behavior at runtime and may expose logs, auth traces, or other sensitive state without clear upfront disclosure.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The diagnostic instructions explicitly read a raw user token from a local auth file and pass it on the command line, which unnecessarily expands access beyond the skill’s stated coupon/reminder purpose. Exposing or handling bearer tokens in plaintext increases the risk of credential theft through user-visible output, shell history, logs, screenshots, or downstream agent leakage.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The diagnostic flow instructs the agent to display raw JSON responses, detailed auth logs, and server output directly to the user, which exceeds the narrow business purpose of coupon claiming/reminders. Such broad disclosure can reveal sensitive operational details, identifiers, backend behavior, and error contents that enable account misuse, probing, or privacy leakage.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file embeds a full SMS authentication and token-management subsystem, including persistent storage of user_token and device_token, which materially exceeds the manifest's stated coupon/reminder functionality. This creates undisclosed account-handling and tracking behavior, increasing privacy and abuse risk because users may not reasonably expect the skill to collect credentials and maintain long-lived identifiers.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code generates a persistent device identifier and explicitly preserves it across logout, enabling durable correlation of a user's activity and account state. For a coupon/reminder skill, this level of device tracking is not clearly necessary and increases privacy exposure if logs, tokens, or backend records are linked over time.

Description-Behavior Mismatch

Low

Confidence: 72% confidence
Finding: The module records authentication activity and masked account metadata to a local log file, but this behavior is not reflected in the manifest. Although the data is partially masked and sometimes obfuscated, it still creates an additional privacy surface and may expose account activity patterns or server responses to other local processes or future compromise.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This script reads a local auth token file and decrypts authentication logs using a reversible XOR scheme derived from local secrets, exposing prior auth activity and potentially sensitive metadata such as masked phone numbers, status codes, and error details. In a coupon/promotion skill, this diagnostic capability is outside the stated business purpose and increases the risk of unauthorized local credential/log inspection if the skill or its tooling is abused.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file header explicitly documents functionality for reading and decrypting authentication operation logs, which materially exceeds the expected scope of a promotion/coupon skill. This scope mismatch is dangerous because it normalizes access to auth internals within a low-risk-looking skill, making sensitive local data access easier to hide and harder for users or reviewers to anticipate.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script reads a device token from the user's home directory and uses it as part of a custom XOR-based log obfuscation scheme for local execution logs. This exceeds the stated coupon-issuance purpose and creates unnecessary access to a sensitive local credential, while the weak custom encryption also obscures what is being stored rather than providing strong protection.

Description-Behavior Mismatch

Low

Confidence: 80% confidence
Finding: The script writes execution metadata and truncated server responses to a temp-directory log file, even though persistent local logging is not necessary for simply claiming coupons. Temp locations are often broadly accessible to local processes or users, and the logs may reveal usage patterns, activity identifiers, masked token prefixes, or backend response content.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger list contains broad phrases like '福利', '羊毛', '优惠券', and '今日活动', which can match ordinary conversation and activate the skill unexpectedly. Because activation can lead into login, SMS sending, token checks, and recurring reminder setup, overbroad triggers materially increase the chance of unintended sensitive workflows being initiated.

Vague Triggers

High

Confidence: 96% confidence
Finding: The intent rules can trigger on general shopping, dining, or lifestyle conversation and even proactively upsell the coupon flow based on weak contextual signals. In this skill, that is risky because accidental routing can prompt for phone numbers, perform token verification, and steer users toward automated reminders without a clearly intentional request for account-linked actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill can create recurring scheduled reminders/cron jobs, but the description does not prominently warn users that enabling reminders results in automated ongoing messages. Missing disclosure is dangerous because recurring automation changes the user's environment persistently and can be surprising or hard to attribute later.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The steps require directly accessing and potentially exposing a user token but do not provide a clear, prior risk disclosure or meaningful consent flow for this sensitive action. Handling authentication material without explicit notice undermines user trust and increases the chance of inadvertent credential exposure or misuse.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list is very broad and includes generic phrases like '领券', '优惠券', '福利', and '今天有什么活动', which can easily appear in ordinary conversation. In a skill that can initiate coupon flows and prompt for phone number and SMS verification, overly broad activation increases the risk of unintended invocation, phishing-style social engineering, or confusing users into entering sensitive account data in the wrong context.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The token verification request sends authentication data to a remote endpoint with TLS certificate verification explicitly disabled via verify=False. This allows a man-in-the-middle attacker on the network path to intercept or modify token validation traffic, potentially exposing tokens or spoofing server responses that alter local authentication state.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The SMS login flow transmits the user's phone number and device identifier to a remote service while TLS verification is disabled. An attacker able to intercept traffic could capture phone numbers, tamper with responses, or redirect users into unsafe verification flows, making the undisclosed collection especially risky in a consumer coupon context.

Static analysis

Insecure tls verification

Warn

Finding: HTTPS certificate verification is disabled.

Secret argv exposure

Critical

Finding: Instructions pass high-value credentials through process argv.

Secret argv exposure

Critical

Finding: Instructions pass high-value credentials through process argv.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal