ClawHub

服务分发购物SKILL

Security checks across malware telemetry and agentic risk

Overview

This shopping skill is purpose-aligned but needs Review because it can use stored payment credentials and scheduled tasks to buy later with broad triggers and weak safeguards.

Install only if you are comfortable with a skill that may store payment-capable tokens and a delivery address in local config and can create future purchase tasks. Before use, narrow the trigger, remove or replace the bundled address, avoid reusable payment tokens where possible, validate session IDs, and require explicit review of item, price, address, and timing before every purchase.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code uses the untrusted --sessionId argument directly to construct the output path (`${options.sessionId}.json`) and writes to it with `fs.writeFileSync`. An attacker can supply path traversal values such as `../../somefile` to overwrite files accessible to the process, which is unrelated to the shopping skill's stated purpose and increases risk in any environment where the CLI runs with meaningful filesystem access.

Vague Triggers

High
Confidence
97% confidence
Finding
The documented trigger condition activates on any message containing the single character "买", which is overly broad for a high-risk commerce skill. In context, this can cause the shopping workflow to start on casual conversation or ambiguous requests, increasing the chance of unintended product search, selection flow, or downstream purchase actions, especially when paired with stateful automation and scheduled buying.

Missing User Warnings

High
Confidence
94% confidence
Finding
The README promotes immediate purchasing and scheduled automatic purchasing but does not prominently warn about sensitive data use, payment authorization, delivery address exposure, or the irreversible nature of transactions. This is dangerous in this skill context because it handles real purchases, stores auth/payment material in configuration, and supports unattended execution, all of which raise the risk of unauthorized charges, privacy leakage, and user harm if the workflow is misunderstood or misused.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger activates on any conversation containing the character "买", which is far too broad for a skill that can search products, store purchase context, and ultimately place orders. In this shopping context, accidental activation could cause the agent to interpret ordinary conversation as purchase intent and start a transactional workflow without sufficiently explicit user consent.

Vague Triggers

High
Confidence
94% confidence
Finding
The manifest trigger phrases are ambiguous and broad, including generic wording like "帮我买", which can match many normal conversational requests without establishing informed consent for a purchase-capable skill. Because this skill can schedule future purchases and use stored payment tokens, vague activation language materially increases the risk of unintended execution.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill describes storing a payment token and delivery address but does not provide a clear warning, consent flow, retention policy, or safeguards for sensitive data handling. In a purchase skill, silent storage of payment credentials and address information creates significant privacy and financial risk if mishandled, reused unexpectedly, or exposed through logs or local files.

Missing User Warnings

High
Confidence
95% confidence
Finding
The unattended purchase flow allows a scheduled task to execute a future payment automatically, yet the skill provides no clear safety warning, reconfirmation requirement, or constraints around delayed execution. In this context, that is especially dangerous because users may forget about the task, circumstances may change, or a malicious or mistaken trigger could result in an irreversible purchase later.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal