ClawHub

Jd Link Converter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: converts JD short or mobile product links into clean desktop JD product links, with limited and disclosed network use for short-link resolution.

Install if you want JD link cleanup and are comfortable with the skill contacting JD short-link hosts to resolve 3.cn or u.jd.com links. Avoid using it for sensitive/private links if outbound request metadata such as IP address, timing, and User-Agent matters in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs the agent to perform HTTP resolution of user-supplied short links and even calls out using a custom mobile User-Agent, which indicates real network capability despite no declared permission. This creates a policy/control gap: the skill can trigger outbound requests to attacker-controlled or untrusted URLs, enabling SSRF-like access attempts, tracking, and unexpected data egress in environments that rely on declared permissions for sandboxing or review.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README describes automatic invocation whenever a user message contains JD links or broad phrases like link conversion, but it does not define boundaries, consent, or exclusions. In an agent setting, overly broad triggers can cause the skill to activate on incidental mentions and process untrusted links unexpectedly, increasing the chance of unintended network requests or data handling.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The README explains that short links are resolved by following redirects but does not clearly disclose that submitted links will be fetched over the network. This can surprise users in privacy-sensitive environments, because submitting a link may disclose metadata such as IP, timing, and user agent to JD-controlled infrastructure or intermediaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal