ClawHub
Back to skill

Security audit

Ows

Security checks across malware telemetry and agentic risk

Overview

This seller automation skill fits its stated purpose, but it needs Review because it can post seller content and submit bids externally with inconsistent confirmation, endpoint, trigger, and retention controls.

Install only after reviewing the high-impact automation paths. Keep auto-bidding disabled unless you explicitly want bids sent without per-bid approval, verify OW_API_URL before use, avoid broad all-platform publishing until destinations and content are previewed, and do not store sensitive contact, business, payment, or buyer data in the state files without your own access and retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Tainted flow: 'OW_API' from os.environ.get (line 33, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
def search_requests():
    """搜索求购信息"""
    try:
        with urllib.request.urlopen(OW_API, timeout=30) as response:
            data = json.loads(response.read().decode('utf-8'))
        if data.get('success'):
            return data.get('posts', [])
Confidence
96% confidence
Finding
with urllib.request.urlopen(OW_API, timeout=30) as response:

Tainted flow: 'url' from os.environ.get (line 79, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"""搜索OW社区的求购信息(使用 urllib,无需 curl)"""
    try:
        url = os.environ.get("OW_API_URL", "https://www.owshanghai.com/api/posts") + "?type=request&limit=50"
        with urllib.request.urlopen(url, timeout=30) as response:
            data = json.loads(response.read().decode('utf-8'))
        
        if data.get("success"):
Confidence
96% confidence
Finding
with urllib.request.urlopen(url, timeout=30) as response:

Tainted flow: 'req' from os.environ.get (line 207, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST"
        )
        
        with urllib.request.urlopen(req, timeout=30) as response:
            result = json.loads(response.read().decode('utf-8'))
        
        if result.get("success"):
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as response:

Tainted flow: 'req' from os.environ.get (line 203, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method='POST'
        )
        
        with urllib.request.urlopen(req, timeout=30) as response:
            result = json.loads(response.read().decode('utf-8'))
        
        if result.get('success'):
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as response:

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims HTTPS-only network calls, but later documents and exemplifies plain HTTP endpoints on localhost. Even if localhost traffic is local, the contradictory guidance weakens operator assumptions and can lead to insecure deployments, proxy exposure, or accidental reuse of HTTP patterns for non-local endpoints.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill says auto-bid requires explicit confirmation, but later configuration enables fully automatic bidding with no confirmation step. This inconsistency can cause autonomous submission of bids, external communications, and business commitments that the operator did not intend to authorize.

Context-Inappropriate Capability

High
Confidence
80% confidence
Finding
The script performs automatic bidding through process_auto_bid based on matched post content, extending behavior beyond passive search/match into autonomous external action. In this context, attacker-controlled or spoofed request data from the remote API could trigger unintended bids or business actions, especially if users rely on the documented description and do not expect autonomous outbound operations.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code persists fetched opportunities unconditionally inside search_all_platforms(), even though the CLI exposes a --save flag that implies saving should be optional. This can silently store potentially sensitive or proprietary procurement data on disk, violating user expectations and increasing privacy/compliance risk on shared systems.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very broad everyday terms such as '卖/出售/供货/投标/竞标/订单', which can accidentally activate the skill during ordinary conversation. In a skill that can search external platforms, prepare bids, and potentially submit actions, overbroad activation materially increases the chance of unintended external operations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example invocations for cross-platform search and publishing are broad and natural-language-like, making accidental activation more likely. Because these commands imply external publication and multi-platform actions, ambiguous phrasing can lead to unintended data transmission or posting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes determining buyer region from IP address without a clear privacy notice, consent model, retention policy, or legal basis. IP-derived geolocation is personal data in many jurisdictions, and collecting or inferring it silently creates privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The multi-platform publishing section encourages posting product content to external social and media platforms without a prominent warning that data, media, links, and metadata will be transmitted off-platform. Users may not realize drafts or posts can disclose shop information, marketing content, and potentially identifying business data to third parties.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises 24/7 background search across multiple external platforms without an explicit warning that it will continuously access third-party services and process externally sourced data. Ongoing autonomous network activity expands privacy, rate-limit, legal, and unintended-behavior risk, especially if the operator expects only on-demand actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly enables automated multi-platform searching, periodic polling, and real-time subscription behavior, but it does not warn users that the skill may generate ongoing network traffic or transmit query data to external services. In an agent skill context, this can lead to silent data disclosure, unexpected background activity, and user surprise about which platforms are being contacted, especially because one platform is a localhost endpoint and another uses live subscription channels.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Buyer IP addresses are collected from post data and stored in match records via save_catalog, along with identity and content metadata, without minimization or any visible consent/notice mechanism. This creates unnecessary retention of sensitive personal data and increases privacy, compliance, and breach impact if the state files are accessed or leaked.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
save_opportunity() writes remotely fetched data directly to local files without user confirmation, sanitization of the filename component, or disclosure about retention. Because req_id comes from external data, a malicious or malformed value could cause unintended file paths or overwrite behavior if path separators or traversal sequences are accepted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script collects seller contact and business-profile data and later persists it locally without clearly informing the user at collection time that the data will be written to disk. In an agent skill/setup context, this can expose sensitive business and personal information to other local users, backups, logs, or later components that read the state directory, especially if file permissions are weak.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes product catalogs, shop links, contact details, and regional logistics configuration to predictable local JSON files without prior disclosure. In this skill context, that increases the risk of unintended disclosure of sensitive commercial information, such as supplier identity, geographic restrictions, and store links, if other processes or users on the same system can access the state directory.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The notification embeds highly generic trigger phrases such as '投标 10', '查看需求 10', and '忽略 10' without any guardrails limiting where or when they should be acted on. Because the surrounding content also includes promotional text and an install command for another skill, an agent may incorrectly treat displayed content as actionable instructions, creating prompt/command confusion and unintended workflow execution.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The product keyword list includes the overly broad term "酒" (alcohol/drink), and the file shows auto-matching is enabled with a low minimum match score of 0.3. In this skill context, that can cause unrelated buyer posts to be matched and surfaced, creating noisy or misleading procurement actions and increasing the chance of incorrect notifications or downstream bidding decisions.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal