ClawHub

kuaishou-lifeservice-business-assistant

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Kuaishou merchant assistant, but it handles merchant secrets and broad business data with weak scoping and plaintext local persistence.

Install only if you trust the publisher and intend to give the skill access to real Kuaishou merchant data. Avoid pasting app_secret into chat, restrict or delete ./.kuaishou-localife-token/ after use, rotate credentials if exposed, and expect some prompts to retrieve and display broader merchant reports than the specific question requested.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The manifest declares no permissions, yet the documentation clearly indicates local file access for credential persistence and network access for API calls. This creates a transparency and trust problem: users and platforms cannot accurately assess what sensitive operations the skill performs before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated purpose is a merchant query assistant, but the skill also manages credentials, persists secrets locally, obtains tokens, and generates reports beyond the narrow description. This mismatch can mislead users into providing sensitive data without understanding the full behavior, increasing the risk of secret exposure and overbroad trust.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
A query-oriented skill is also documented as adding, listing, selecting, and storing merchant credentials locally. Even if intended for convenience, secret management is a materially different and higher-risk function than simple data retrieval, and it expands the attack surface if the local environment is compromised.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Local credential storage and account-profile management are not clearly justified by the manifest's merchant-query purpose. Unnecessary secret persistence increases the likelihood of accidental disclosure, leakage through logs or backups, and misuse across multiple merchant accounts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation asks users to send a full credential string containing app_key, merchant_id, and app_secret directly to the assistant, without any warning that these are sensitive secrets. This is dangerous because secrets may be exposed in chat history, logs, telemetry, screenshots, or other intermediaries, enabling unauthorized API access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill says account information will be automatically saved for future use, but does not warn that this includes sensitive secret material and local persistence risk. Users may unknowingly store credentials in plaintext or insecure locations, exposing them to other users, malware, backups, or support tooling.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation explicitly places the access token in URL query parameters, which commonly leak via browser history, proxy logs, server logs, analytics, Referer headers, and shared screenshots. Even in an API reference, normalizing this pattern can cause downstream implementations to mishandle bearer credentials and expose merchant account access.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad business terms such as '经营数据', 'GMV', and '经营表现', which can overlap with ordinary conversation and cause the skill to activate unintentionally. In this skill's context, accidental activation is meaningful because it can trigger retrieval and presentation of merchant operational data the user did not clearly request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document says the skill queries merchant diagnostic data and generates full reports, but it does not foreground that these reports may contain sensitive operational and user-related metrics. In a merchant-assistant context, omission of sensitivity and handling guidance increases the chance that confidential business information is exposed to unintended recipients or surfaced in overly broad contexts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions repeatedly require complete display of all API-returned fields with no omission, which directly conflicts with data minimization and privacy principles. In this skill, that policy can force disclosure of sensitive merchant metrics or unexpected backend fields even when the user only needs a subset, expanding exposure beyond necessity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code stores full API credentials, including app_secret, in a predictable local plaintext file under ./.kuaishou-localife-token/api_keys.txt with no permission hardening, encryption, or user warning. Any local user, malware, backup process, or accidental repository inclusion could expose these long-lived secrets and enable unauthorized access to merchant APIs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The current-context selection writes the complete selected credential, including app_secret, into another plaintext file and later exposes it through --current and --get-config. This duplicates sensitive material, broadens the attack surface, and increases the chance of disclosure via logs, shell history, process output capture, or local file compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes the access token to a predictable local file path without setting restrictive permissions or warning the user that bearer credentials are being persisted on disk. In a multi-user environment, shared workspace, or compromised host, another local process or user could read the token and reuse it to access merchant APIs.

Ssd 3

High
Confidence
97% confidence
Finding
Directly instructing users to send full credential strings including app_secret to the assistant is a strong secret-handling anti-pattern. In this context, the skill is a merchant operations assistant dealing with account access, so exposure of these credentials could let an attacker query merchant data, obtain tokens, or act across authorized merchant environments.

Ssd 3

Medium
Confidence
93% confidence
Finding
The documented account format embeds a secret and states it will be automatically saved for reuse, which normalizes persistent storage of sensitive credentials without visible safeguards. In a merchant-management context, this increases the blast radius of host compromise and accidental disclosure because one stored profile may unlock access to business data and operations.

Ssd 3

Medium
Confidence
98% confidence
Finding
The explicit instruction to always include all raw API-returned data encourages over-disclosure by design. This is dangerous because backend responses can contain sensitive business metrics, identifiers, warning metadata, or future-added fields that were never intended for end-user display, turning the report into a disclosure channel.

Ssd 3

Medium
Confidence
97% confidence
Finding
Forcing return of all six modules even when the user asks for one broadens the disclosure scope beyond user need. In a merchant analytics skill, this can expose unrelated operational data such as traffic, live, or user metrics that the requester did not ask for and may not be authorized to receive.

Ssd 3

Medium
Confidence
98% confidence
Finding
The repeated mandate to fully display every API-returned field creates a standing natural-language policy of over-disclosure. Repetition across the document increases the chance implementers will preserve raw outputs verbatim, including sensitive or newly introduced fields, making the skill brittle and privacy-unfriendly.

Ssd 3

Medium
Confidence
95% confidence
Finding
The example JSON output emits full raw response objects under a 'json' field, normalizing direct exposure of backend payloads to downstream consumers. This is risky because raw responses may include internal metadata, error details, or additional fields that should remain internal, and examples often become implementation templates.

External Transmission

Medium
Category
Data Exfiltration
Content
**请求示例**:
```bash
curl --location 'https://lbs-open.kuaishou.com/goodlife/rest/merchant/apicenter/pc/comment/poiCommentList?access-token=YOUR_ACCESS_TOKEN'
```

---
Confidence
96% confidence
Finding
curl --location 'https://lbs-open.kuaishou.com/goodlife/rest/merchant/apicenter/pc/comment/poiCommentList?access-token=YOUR_ACCESS_TOKEN' ``` --- ### 16. 查询职人的定向激励数据 查询职人的定向激励数据。 **接口地址**: `POST /

Credential Access

High
Category
Privilege Escalation
Content
args = parser.parse_args()
    
    # Get access token using AccessTokenManager
    context = load_current_context()
    if not context:
        print("Error: No current context found.", file=sys.stderr)
Confidence
78% confidence
Finding
access token

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal