ClawHub

拼多多客服助手

Security checks across malware telemetry and agentic risk

Overview

This skill automates a live merchant account and buyer conversations, but its browser-control, account-session, and customer-data safeguards are too broad and under-explained.

Review carefully before installing. Use only a dedicated Chrome profile and least-privilege merchant account, do not run the CDP proxy unless it is locked to localhost with authentication, avoid storing merchant passwords in config files, keep auto-reply disabled unless every send is explicitly approved, and verify where any buyer conversation or order data is stored, exported, and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill advertises browser automation, local configuration, and likely environment-dependent behavior, yet no permissions are declared. Missing permission declarations reduce transparency and can cause users or hosting systems to underestimate the skill's access to credentials, browser state, and merchant data. In this context, the skill operates on a live merchant backend, so undeclared capabilities are more sensitive than in a toy or read-only skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The file describes a customer-service automation tool but the finding indicates additional Convex cloud database read/write behavior that is not disclosed in the declared purpose. Undisclosed external persistence is dangerous because it can exfiltrate or centrally retain conversations, buyer history, operational stats, and potentially personal or business-sensitive data without informed consent. Given this skill handles merchant sessions and buyer communications, hidden cloud storage materially increases privacy, compliance, and data-loss risk.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The README makes a safety claim that operations are 'only manually triggered', but elsewhere documents continuous 5-second polling, long-duration listening, and an AUTO_REPLY option. This mismatch can mislead reviewers and operators about the actual autonomy of the skill, reducing informed consent and masking policy or compliance risk in a browser automation tool that acts on a merchant account.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation claims the skill does not bypass platform risk controls, yet the skill metadata explicitly advertises using the user's everyday Chrome login state to 'avoid platform risk control'. In this context, the contradiction is security-relevant because it suggests evasion of anti-abuse detection while attempting to reassure reviewers that no such behavior exists.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The safety section claims 'only manually triggered' operation, but the rest of the document describes automatic listening, polling, smart reply generation, and workflow automation. This contradiction is dangerous because operators may rely on the safety claim while deploying a system that can take ongoing actions on live customer interactions with reduced human oversight.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document says buyer sensitive information is not stored, yet it also mentions database persistence, experience accumulation, send-history tracking, and buyer historical order lookup. Misrepresenting retention practices is dangerous because users may process customer data under false assumptions, creating privacy, contractual, and regulatory exposure.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The skill says it will not bypass platform risk controls, while the headline value proposition explicitly emphasizes using the user's regular Chrome and login state to avoid platform detection. Even if framed as 'avoid triggering' rather than exploitative bypass, this is still a suspicious contradiction that can normalize evasive behavior toward platform safeguards.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The server exposes a browser-control API over HTTP and explicitly enables unrestricted cross-origin access with `Access-Control-Allow-Origin: *`. In the context of a CDP bridge to a real logged-in Chrome profile, this means any website the user visits can potentially drive requests to the local proxy and abuse the user's browser session, creating a powerful local privilege and session-abuse surface far beyond the stated customer-service purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The `/new` flow can create tabs for arbitrary attacker-chosen URLs rather than limiting navigation to the Pinduoduo merchant backend. Because this proxy is meant to control the user's everyday Chrome with existing login state, arbitrary tab creation can be chained with other browser-control actions to access unrelated sites, induce authenticated actions, or facilitate phishing and data exposure.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The `/eval` endpoint is designed around arbitrary JavaScript evaluation semantics, which is incompatible with a narrowly scoped support assistant and dangerous in a browser automation proxy. Even though this stub currently only echoes input, the code and comments indicate intended future execution over WebSocket/CDP, which would allow arbitrary script execution in browser context against authenticated pages and sensitive session data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes extracting buyer messages, images, and order information, and later proposes pushing such data to Feishu/WeChat, but does not clearly explain what customer data is collected, where it is stored, who can access it, or what consent/retention rules apply. For a customer-service automation skill handling potentially sensitive commerce data, that omission materially increases privacy and data-leakage risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes continuous monitoring of buyer conversations and extraction of message, image, and order information without a prominent privacy notice. In a live commerce support context, that means personal and transactional data may be collected and processed continuously, potentially forwarded or stored, while operators are not clearly warned about privacy obligations or customer-data exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises automated refund and after-sales handling without a prominent warning about irreversible operational consequences. In a merchant backend, actions like approving refunds or processing return workflows can directly affect money flow, inventory, dispute status, and customer commitments; automation errors could cause immediate financial and reputational harm.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quick-start instructions show merchant credentials being stored in a local config file, with no warning about secrets management. Local plaintext or weakly protected credentials are a common compromise path, especially on shared workstations or developer machines, and here they grant access to a live merchant account and associated customer/order data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The quick-start recommends long-running background listening via nohup without clearly warning that customer communications may be continuously monitored and possibly relayed to external systems like Feishu or WeChat. This increases the likelihood of unnoticed collection, prolonged session exposure, and unattended processing of sensitive merchant and buyer data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The HTTP API exposes actions like tab creation, eval, click, screenshot, scroll, and close without authentication, consent prompts, or clear risk disclosure. In this skill's context—controlling a real Chrome instance that 'naturally carries login state'—lack of warning and guardrails materially increases the chance of silent misuse, privacy violations, and destructive authenticated actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill metadata explicitly advertises browser-based automatic login to a real merchant backend, continuous buyer message monitoring, automated reply generation, and after-sales processing, yet provides no warning, consent model, or guardrails for handling authenticated account sessions and customer data. In this context, the omission is dangerous because the skill is designed to act inside a live seller account using the user's existing Chrome login state, which increases the risk of unauthorized actions, privacy violations, and account abuse if the automation behaves unexpectedly or is repurposed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code retrieves unread buyer messages, conversation history, buyer names, and timestamps from a live logged-in merchant session, but provides no consent flow, privacy notice, minimization, or access controls. Because this skill explicitly reuses the user's everyday Chrome profile and login state, it can expose sensitive customer communications and order-related data through automation with little user awareness.

Session Persistence

Medium
Category
Rogue Agent
Content
node src/index.ts login --shop "店铺 A"

# 开始监听消息(后台运行)
nohup node src/index.ts listen --duration 86400 &
```

### 步骤 3:查看运行状态
Confidence
84% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal