ClawHub

科力普采购助手

Security checks across malware telemetry and agentic risk

Overview

This Colipu purchasing skill matches its stated purpose, but some included scripts can place or cancel real orders without the final confirmation the documentation promises.

Review carefully before installing. Use only a least-privileged Colipu account, keep credentials in secure environment or secret storage, and do not let an agent invoke colipu_order.py, colipu_search.place_order, quick_order, or cancel_order unless you add a visible final summary and explicit per-action user confirmation for orders and cancellations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of environment variables, network APIs, and shell scripts, but no explicit permissions are declared. This creates a governance gap: an agent platform may execute capabilities broader than the reviewed permission surface, increasing the chance of unintended network calls, credential use, or command execution without proper user/admin awareness.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to escalate by emailing an external address and to include sensitive operational details such as account identifiers, API paths, request bodies, response bodies, reproduction times, and TraceId. Even with a note to desensitize some content, this encourages outbound disclosure of potentially sensitive business, authentication, and transactional metadata beyond the core procurement workflow.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
`quick_order` performs a full purchase flow: product search, receiver/cost-center selection, pre-submit, confirm, and order creation polling, without any enforced user confirmation. In a procurement assistant context, this enables unintended or prompt-injected purchases using real account credentials and saved delivery/accounting data, making it materially more dangerous than a read-only helper.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The docstring says the method is only for testing/internal scripts, but the function is implemented in the main client and issues real order-confirmation calls. This mismatch increases the chance that downstream agent code treats it as safe utility code and accidentally exposes a one-shot purchasing primitive in production.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs use of username/password login and authenticated calls that expose session cookies, addresses, phone numbers, and order data, but it lacks any warning or handling guidance for secrets and personal data. In an agent skill context, this increases the risk that the agent will collect, store, log, or retransmit credentials and PII unsafely during normal operation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The pre-submit and confirm-submit sections describe live order-creation workflows without a strong warning that these APIs can place real orders and affect business operations. In an autonomous or semi-autonomous agent, this can lead to unintended purchases, financial loss, and operational disruption if the agent invokes the endpoints without explicit user consent and safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`cancel_order` directly issues an order-cancellation request with no built-in confirmation or warning. In an agent-integrated purchasing skill, this allows accidental or malicious cancellation of valid business orders, causing operational disruption and potential financial/process impact.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script performs the irreversible order submission flow immediately after building the cart and pre-checking it, with no explicit user confirmation or dry-run gate before calling confirm_order(). In a procurement skill, this is especially dangerous because a mistaken invocation, malformed upstream agent action, or prompt-triggered automation can place real purchase orders against a live account and cost center.

External Transmission

Medium
Category
Data Exfiltration
Content
### 请求示例(多 SKU 合并为一单)

```bash
curl --location --request POST 'https://h5vip.colipu.com/api/confirm/create' \
--header 'Cookie: EGG_SESS=xxxxxx' \
--header 'content-type: application/json;charset=UTF-8' \
--data-raw '{
Confidence
94% confidence
Finding
curl --location --request POST 'https://h5vip.colipu.com/api/confirm/create' \ --header 'Cookie: EGG_SESS=xxxxxx' \ --header 'content-type: application/json;charset=UTF-8' \ --data-raw

External Transmission

Medium
Category
Data Exfiltration
Content
### 请求示例
```bash
curl --location --request POST 'https://h5vip.colipu.com/api/confirm/orderConfirm' \
--header 'Cookie: EGG_SESS=xxxxxx' \
--header 'content-type: application/json;charset=UTF-8' \
--data-raw '{
Confidence
95% confidence
Finding
curl --location --request POST 'https://h5vip.colipu.com/api/confirm/orderConfirm' \ --header 'Cookie: EGG_SESS=xxxxxx' \ --header 'content-type: application/json;charset=UTF-8' \ --data-raw

Session Persistence

Medium
Category
Rogue Agent
Content
|---|------|------|------|-------------|
| 1 | `/api/vip/login` | POST | 账号密码登录 | 响应头 `Set-Cookie.EGG_SESS`、`Data.customerId` |
| 2 | `/api/b2bSearchApi/SearchByKeyWord` | POST | 关键词搜索商品 | `Data[].ItemId`、`Data[].SalePrice`、`Data[].ItemFullName` |
| 3 | `/api/b2bApi/GetAttributeGroupList` | GET | 商品详情(属性、起订量等) | `Data[].AttributeList`、`Data[].ItemAtte` |
| 4 | `/api/accountApi/receiver/list/0` | GET | 收货地址列表 | `[].ReceiverId`、`[].Status==A` |
| 5 | `/api/crm/getConcenter?IsGroupPower=N` | GET | 成本中心列表 | `Data[].CostCenterId`、`Data[].Status==A` |
| 6 | `/api/confirm/create` | POST | 预提交订单(拿 GuId) | `Data.Success`、`Data.Message`(=GuId) |
Confidence
88% confidence
Finding
pList

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal