ClawHub

美团优惠领取工具

Security checks across malware telemetry and agentic risk

Overview

Review before installing: this coupon skill handles Meituan phone/SMS login, stores reusable account tokens, claims official status without corroborating publisher metadata, and can enable daily background coupon claiming.

Install only if you trust the publisher and are comfortable entering a Meituan phone/SMS login into this skill. Expect account tokens and a device identifier to remain on disk across sessions, and enable daily auto-claiming only if you want the skill to keep acting in the background until disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env.setdefault("SKILL_CACHE_WORKSPACE", _get_workspace())

    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)
        stdout = result.stdout.strip() if result.stdout else ""

        if raw_output:
Confidence
88% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document adds a persistent scheduled-execution feature that repeatedly performs coupon claiming and sends notifications, which is materially broader than the described core capabilities of one-time coupon claiming and history lookup. Expanding from user-invoked actions to ongoing autonomous actions increases risk because it enables repeated execution and background behavior that users may not fully anticipate after initial setup.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The rules instruct the agent to create and manage platform-level scheduled jobs through CronCreate, RemoteTrigger, and openclaw commands, which grants broader execution and persistence capabilities than are necessary for simple coupon issuance or record lookup. This increases attack surface because a compromised or misused skill can establish durable jobs across platforms and continue acting outside the immediate user interaction.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The scheduled flow states that at trigger time the system will automatically verify tokens and execute the coupon-issuing script without asking the user again. Even if intended for convenience, this is an autonomous privileged action using stored authentication state, and it can continue to operate after the user forgets it was enabled or after context changes.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The authentication module implements scheduling features that go beyond the stated login and token-management role, enabling persistent automated actions on behalf of the user. In a skill context, hidden or bundled automation increases the chance of unauthorized recurring actions and makes abuse harder for users to notice or control.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code probes the host environment and constructs platform-specific scheduler commands, including outbound trigger definitions, despite being in an auth component. This broadens the skill's operational scope and could be leveraged to establish persistence or trigger actions in external platforms beyond the user's expectation for a coupon-login helper.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file implements a generic local cache and workspace-management CLI with cross-skill storage semantics, which materially exceeds the stated purpose of a coupon-claiming/query skill. In this context, overbroad capabilities are dangerous because they create an unnecessary persistence and filesystem-management surface that could be abused by the skill or by other integrated components to store, discover, or manipulate data unrelated to coupon operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The shared_read/shared_write/shared_delete functionality allows arbitrary access to files in a cross-skill shared area, not just a fixed coupon-related artifact. In a multi-skill environment this breaks least privilege and enables unintended data exposure, tampering, or destruction of other skills' shared state, including potentially sensitive configuration or authentication material.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The CLI exposes broad read/write/delete/list and JSON/line-editing primitives over arbitrary files for arbitrary skill names and subdirectories. For a coupon assistant, this is an unjustified general-purpose file manipulation interface that can be used to inspect or alter private data, configs, logs, and caches across skills, substantially increasing the risk of data theft, persistence abuse, and sabotage.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger list is extremely broad and includes generic phrases like '领券', '红包', '优惠券', and '省钱' that can appear in ordinary conversation. Combined with the skill's ability to initiate login and coupon-claim flows, this increases the chance of unintended invocation and surprise execution of networked account-related actions.

Vague Triggers

High
Confidence
95% confidence
Finding
The intent-recognition rules instruct activation based on broad everyday language about savings, discounts, or future consumption, and even tell the agent to directly execute coupon claiming for 'explicit intent' without further confirmation. In context, this is more dangerous because the skill handles authentication state, local token storage, network calls, and scheduled automation, so misfires can lead to account-affecting actions rather than harmless suggestions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This flow collects a phone number, sends SMS-based authentication, and explicitly states that agreement acceptance and authentication state are persisted locally in a token file, but this file does not clearly warn the user about local storage, retention, or device-sharing risks at the point of collection. In an authentication context, unclear handling of phone numbers and locally stored tokens can expose users to privacy harm or account misuse, especially on shared or unmanaged devices.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Although the prompt mentions 'daily automatic claiming' and 'no need to confirm again,' the warning and consent language are not sufficiently robust for an ongoing autonomous action that will continue in the background and notify the user later. For recurring behavior tied to authenticated actions, users should be clearly informed of persistence, frequency, notification behavior, and how to stop it before activation.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The rules hard-code Asia/Shanghai for all users regardless of their actual locale or preference, which can cause the automated action to run at unexpected times. While not directly enabling code execution or data theft, mismatched scheduling can lead to unintended autonomous activity, user confusion, and loss of control over when authenticated actions occur.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The module sends phone numbers and SMS verification codes to remote APIs, but this file does not present any explicit user-facing disclosure about what data is sent, to which service, or for what retention purpose. In an authentication flow, silent transmission of high-sensitivity identifiers and one-time codes creates privacy and trust risks even if the endpoint is legitimate.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Authentication data, including user_token, device_token, and phone metadata, is persisted to shared local storage without any explicit warning in this file that such data will remain on disk. Persistent token storage can expose users to account misuse or privacy loss if the local workspace is shared, backed up, or insufficiently protected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal