ClawHub

闲鱼自动回复助手

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated auto-reply job, but it asks for a full marketplace login cookie and runs an unattended bot that can send messages from the user's account.

Install only if you are comfortable giving this skill a live Xianyu/Goofish session cookie and letting it automatically reply to buyers as you. Treat the cookie like a password, verify how your Claude/OpenClaw CLI handles prompts and telemetry, supervise the bot before leaving it running, and delete or rotate ~/.xianyu-agent/config.json when done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
                cmd = ['openclaw', 'agent', '--prompt', prompt]

            result = subprocess.run(
                cmd,
                capture_output=True, text=True,
                timeout=60,
Confidence
93% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=60, env={**os.environ, 'LANG': 'zh_CN.UTF-8'}

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill's declared purpose is Xianyu auto-reply, but the implementation delegates message generation to external local AI executables with broad access to the provided prompt content. That materially expands the trust boundary and capability surface beyond simple monitoring/reply orchestration, increasing risk of unintended data disclosure or unsafe autonomous behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill asks the user to provide full browser Cookie material for account authentication without prominent warning that this is equivalent to handing over a live session token. Collecting such credentials through chat greatly increases the chance of account takeover, unintended retention in logs, and reuse beyond the user's expectations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The guide explicitly instructs the user to copy their full authenticated Goofish session cookie and paste it to the AI assistant. A full session cookie is effectively a bearer credential; anyone who receives it can potentially impersonate the user, read messages, send replies, and access account-linked data until the cookie expires or is revoked.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code stores buyer chat history, item descriptions, and pricing data in a local SQLite database, but there is no evidence in this file of consent, disclosure, retention policy, encryption, or access controls. In the context of an always-on auto-reply skill for a marketplace account, this creates privacy and data-handling risk because sensitive conversation and commerce data may accumulate on disk and be exposed to other local users, malware, backups, or unintended operators.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Buyer messages, prior chat history, and item details are bundled into a prompt and sent to a separate AI CLI without any disclosure, consent, or privacy controls. In a marketplace context this can expose personal or commercially sensitive conversation content to another component whose storage, telemetry, and network behavior are not controlled here.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the user to copy and paste the entire Cookie header into the conversation, normalizing disclosure of highly sensitive session credentials over natural-language interaction. Because cookies often grant immediate authenticated access, exposure through chat can enable session hijacking and broader compromise of the user's marketplace account.

Ssd 3

High
Confidence
98% confidence
Finding
Persisting the user-provided Cookie in a plaintext config file creates long-lived local storage of active authentication material, increasing the blast radius of local compromise, backups, logs, or accidental disclosure. This also normalizes retention of secrets that were already unsafely collected through chat, compounding the risk.

Ssd 3

High
Confidence
99% confidence
Finding
Telling users to paste full login cookies into an AI conversation exposes authentication material in plain text to the assistant interface and any connected logging, storage, or debugging systems. In this skill's context, the cookie is intended to authorize ongoing automated actions as the user, so disclosure can directly enable account takeover and unauthorized messaging.

Ssd 3

High
Confidence
94% confidence
Finding
The document correctly identifies the cookie as a login credential but then normalizes handling and sharing of that credential as part of the workflow. That combination is dangerous because it trains users to treat a reusable identity token as ordinary input, increasing the chance of credential leakage and unauthorized access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal