ClawHub

meituan-union-smart-recommendation-skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This Meituan guide skill appears purpose-related, but it needs Review because it handles account tokens and binding secrets with broad triggers, silent network/setup actions, and under-scoped local secret exposure.

Install only if you are comfortable authorizing a Meituan account, storing local tokens and binding secrets, and allowing this skill to run setup scripts and network checks in the background. Review is warranted until the publisher narrows triggers, makes installs/network/token handling explicit, removes raw secret output, and masks diagnostic data by default.

SkillSpector (8)

By NVIDIA

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script interpolates the untrusted client_id directly into IMGFILE and TXTFILE without sanitization or path validation. An attacker can supply values such as '../../somefile' or absolute-path-like names to overwrite files outside the intended scripts directory, and because the script may run with the agent user's privileges, this can lead to arbitrary file clobbering or persistence in sensitive locations.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger scope is extremely broad and includes common phrases like recommendations, discounts, food, shopping, and medicine-related needs, causing the skill to activate in many unrelated conversations. In context, this can steer users into authorization, binding, and promotional flows they did not explicitly request, increasing the chance of unintended account linkage and link exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates silent execution of scripts, token checks, and networked operations while hiding these actions from the user. In this skill, those hidden steps include auth, token polling, local state inspection, and environment setup, which materially affect privacy and consent and can lead to sensitive operations occurring without informed user approval.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill performs background version checks against internal and external services and explicitly requires these requests to be fully silent. Even if the payload is minimal, undisclosed network access can reveal environment characteristics (internal vs external reachability), usage timing, and platform metadata without user awareness, which is a transparency and privacy issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The get-code-word command prints the locally stored codeWord directly to stdout with no additional authorization, confirmation, or access control. In this tool's context, the code word is explicitly treated as a binding secret and is also stored on disk, so any local process, wrapper, or user with access to invoke the script can retrieve and reuse it for rebinding or account-related actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This diagnostic script explicitly decrypts authentication log entries and prints them to stdout, which can expose tokens, device identifiers, or other sensitive auth details to terminal history, shell logging, screen sharing, CI logs, or other local observers. Although the purpose appears to be troubleshooting rather than abuse, the lack of masking, access checks, or a clear warning materially increases the chance of accidental credential disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The diagnostic tool accesses a device token from the user's auth file to derive the decryption key for log contents, but it does so silently and without explicit user consent or warning. Even though the token is only used locally and not exfiltrated here, reading credentials from a separate auth store increases sensitivity and can expose secret-derived data in terminal output, shell history capture, screenshots, or support bundles.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically runs 'npm install -g qrcode' when the module is missing, causing network-based code retrieval and installation without explicit user approval. In an agent or automation context this expands the trust boundary significantly: a package install script or compromised dependency source could execute code, and the global install also mutates the host environment unexpectedly.

Static analysis

Secret argv exposure

Critical
Finding
Instructions pass high-value credentials through process argv.

Secret argv exposure

Critical
Finding
Instructions pass high-value credentials through process argv.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal