ClawHub

Meituan Physical Automation

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Meituan phone-automation tool, but it exposes broad unauthenticated Android control and sensitive screen/address access beyond a tightly scoped food-ordering workflow.

Review this carefully before installing. Only use it on a trusted machine and Android device, supervise every run, avoid exposing the HTTP server to any network, and disable USB debugging or stop the service afterward. Consider removing Frida/frida-tools, pinning dependencies, binding the server to localhost with authentication, and requiring explicit confirmation before screen reading, address access, dialog approval, cart changes, or checkout navigation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (26)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _get_focus() -> str:
    """返回当前前台 Activity 的 focus 字符串"""
    try:
        return subprocess.check_output(
            "adb shell dumpsys window | grep mCurrentFocus | tail -1",
            shell=True, text=True, stderr=subprocess.DEVNULL
        )
Confidence
97% confidence
Finding
return subprocess.check_output( "adb shell dumpsys window | grep mCurrentFocus | tail -1", shell=True, text=True, stderr=subprocess.DEVNULL )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes powerful capabilities including shell execution, network access, and file read/write but does not declare permissions or present clear guardrails. In a skill that also instructs an AI to run commands against a connected Android device, this creates hidden authority and prevents meaningful user consent or policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill orders food up to checkout, but the described behavior includes generic device-control primitives such as arbitrary taps, coordinate clicks, text entry, UI dumping, swipes, app launching, and screen-state manipulation. Those primitives materially broaden the skill from a narrow Meituan workflow into a general Android automation tool that could interact with unrelated apps or sensitive on-screen data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill markets itself as Meituan-specific, but it also exposes generic device actions such as Home, Back, text input, swiping, and arbitrary tapping that can control other apps or the phone UI outside Meituan. That expands the trust boundary from task-scoped food-order automation to general-purpose device control, enabling misuse if an agent or remote caller issues unexpected commands.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP server binds to 0.0.0.0 and exposes unauthenticated endpoints for launching apps, navigating the device, reading screen contents, typing text, tapping coordinates, and reaching checkout. Any host with network access to the service can remotely control the phone and potentially access sensitive on-screen information or drive unintended actions beyond the claimed use case.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The /tap_xy capability allows arbitrary coordinate clicks, which is effectively generic remote UI control rather than Meituan-specific ordering automation. With screen inspection and navigation endpoints, this can be chained to interact with permissions dialogs, other apps, or sensitive device flows unrelated to food ordering.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Home-button control is not necessary for the stated checkout workflow and broadens the capability from app automation to device navigation. On its own the impact is limited, but in combination with the other generic controls it helps escape the Meituan app and interact with unrelated device state.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill modifies global and system-wide Android settings to keep the screen awake, which exceeds app-scoped interaction and changes device behavior beyond the user's immediate task. This can degrade device security posture, battery/privacy expectations, and persist after the automation ends if not restored.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
Forcibly stopping and cold-starting the Meituan app gives the skill stronger lifecycle control than simple UI automation requires. In context this is not inherently malicious, but it can disrupt active user sessions, bypass expected app state, and broaden the automation's operational authority.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill reads and returns delivery address, recipient name, and phone number, which are sensitive personal data not needed for merely navigating to checkout as described in the skill metadata. In an agent setting, exposing this data to the calling model or logs can create unnecessary privacy leakage and expands the skill's effective data-access scope.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The code persists restaurant search results to /tmp/meituan_last_results.json across calls, creating local retention of user activity that is not described in the manifest. While the data is less sensitive than credentials, it still records user preferences and behavior and may be exposed to other local users/processes depending on environment configuration.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
Persisting search and restaurant data to local disk is not clearly required to perform real-time phone interaction and broadens data exposure beyond the active session. In shared or multi-tenant environments, temporary files may be readable by other processes or remain after the session ends.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The declared purpose is ordinary Android UI automation, but Frida and frida-tools are dynamic instrumentation frameworks commonly used for process hooking, runtime inspection, and bypass-oriented mobile tampering. That mismatch materially expands the capability of the skill beyond benign tapping/swiping and makes the package set risky in this context, especially on a real phone interacting with a consumer app.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation language encourages broad use by saying the AI can autonomously handle ordering from a simple natural-language request, without strong scope checks or confirmation boundaries. That increases the chance the skill is triggered from ambiguous requests and begins controlling a real device when the user did not intend to authorize physical automation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The setup text implies that once installed, the AI can 'take over from here' whenever the user asks for food, but it does not define clear operational boundaries, consent renewal, or stop conditions beyond payment. In the context of real-device control, that makes accidental or overbroad activation more dangerous because the agent may manipulate apps and on-screen information autonomously.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API explicitly exposes delivery address information, which is sensitive personal data, without authentication, consent prompts, masking, or any warning in the interface. Combined with network accessibility, this creates a straightforward privacy leak to any caller that can reach the service.

Missing User Warnings

High
Confidence
99% confidence
Finding
The dialog handler automatically clicks through prompts including 'Allow', '同意', and similar consent text without user confirmation. In a real-device automation context, this can silently grant permissions, accept legal terms, or dismiss security warnings, creating a direct path to unauthorized access or unsafe state changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function broadcasts arbitrary text to the device's ADB keyboard channel without any user-facing notice or sensitivity checks. In this skill context, that could transmit search terms, addresses, names, or other personal data to a privileged input mechanism and makes unintended data entry easier.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function extracts and returns sensitive delivery address and phone information without any visible consent prompt, notice, or minimization in this file. In agent workflows, that can silently surface personal data to upstream systems, logs, or users who only expected checkout navigation.

Ssd 1

Medium
Confidence
98% confidence
Finding
The subagent block explicitly attempts to override normal model behavior and force immediate terminal execution, including package installation, device initialization, ADB inspection, and app launching. This is a classic prompt-injection pattern that tries to convert descriptive content into executable instructions, bypassing safety review and user consent in a real-world environment.

Unpinned Dependencies

Low
Category
Supply Chain
Content
frida>=16.0.0
frida-tools>=12.0.0
typer[all]>=0.9.0
rich>=13.0.0
Confidence
88% confidence
Finding
frida>=16.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
frida>=16.0.0
frida-tools>=12.0.0
typer[all]>=0.9.0
rich>=13.0.0
mcp[cli]>=1.0.0
Confidence
88% confidence
Finding
frida-tools>=12.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
frida>=16.0.0
frida-tools>=12.0.0
typer[all]>=0.9.0
rich>=13.0.0
mcp[cli]>=1.0.0
pydantic>=2.0.0
Confidence
71% confidence
Finding
rich>=13.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
typer[all]>=0.9.0
rich>=13.0.0
mcp[cli]>=1.0.0
pydantic>=2.0.0
Confidence
82% confidence
Finding
pydantic>=2.0.0

Known Vulnerable Dependency: mcp — 3 advisory(ies): CVE-2025-53366 (MCP Python SDK vulnerability in the FastMCP Server causes validation error, lead); CVE-2025-66416 (Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection); CVE-2025-53365 (MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to )

High
Category
Supply Chain
Confidence
95% confidence
Finding
mcp

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal