МойСклад
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: moysklad Version: 1.0.1 The skill contains a high-risk credential forwarding vulnerability in `scripts/moysklad.mjs`. The `api` function prepends the `Authorization` header (containing sensitive MoySklad tokens or passwords) to any URL provided in the `path` argument if it starts with 'http', without validating that the destination is the official `api.moysklad.ru` domain. This allows an attacker to exfiltrate credentials by tricking the AI agent into making a request to an external malicious endpoint. While the bundle appears to be a legitimate tool for MoySklad ERP management, this architectural flaw poses a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your MoySklad account token or login/password could be exposed to an arbitrary website if the raw API command is invoked with a full external URL.
The direct API helper accepts absolute http/https URLs and still attaches the MoySklad Authorization header, so a mistaken or manipulated call could disclose the token or Basic Auth credentials to a non-MoySklad server.
const url = path.startsWith("http") ? path : `${BASE_URL}${path}`; ... headers: { Authorization: getAuthHeader(), ... }Restrict requests to relative paths under https://api.moysklad.ru/api/remap/1.2 or validate that absolute URLs have the exact expected scheme and host before sending Authorization.
An incorrect or prompt-driven invocation could create, update, or delete ERP records such as products, counterparties, orders, invoices, or webhooks.
The raw `api` command forwards arbitrary HTTP methods, paths, and JSON bodies using the user's ERP credentials, which bypasses the safer scoped commands.
const [method, path, bodyStr] = positional; ... const result = await api(method.toUpperCase(), path, body);
Add explicit confirmation for POST/PUT/DELETE, restrict allowed endpoints and methods, and prefer scoped commands over a general raw API escape hatch.
A user may not realize from the registry metadata that the skill needs ERP credentials with potentially broad account authority.
The registry metadata under-declares the credential requirement even though SKILL.md instructs users to set MOYSKLAD_TOKEN or MOYSKLAD_LOGIN/MOYSKLAD_PASSWORD.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare the required credential and environment variables in the registry metadata and recommend least-privilege/read-only tokens where possible.