ClawHub

京东返利

Security checks across malware telemetry and agentic risk

Overview

This is a coherent rebate assistant, but it handles account-linked rebate data and confirmed withdrawal requests, so users should understand those flows before installing.

Install only if you trust the rebate backend and are comfortable linking WeChat/account identity to rebate activity. The skill can store local openId/auth state, send product and link text to rebate services, use your configured LLM provider for search-intent recognition, query balances, and submit a withdrawal after you prepare an amount and confirm it with “确认提现”.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell scripts, uses networked APIs, and appears to access environment/local state, but the manifest does not declare those capabilities. This weakens security review and user/operator awareness, making it easier for a skill with significant execution and data-access power to run with insufficient scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is described as a simple 3-scenario rebate assistant, but the documented behavior includes sensitive financial actions, account balance checks, authorization state handling, external API calls, and local persistence of identifiers and pending withdrawal state. This mismatch can mislead reviewers and users about the true trust boundary, causing unintended exposure of financial/account data and higher-risk side effects than expected.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file includes a generic model invocation primitive that loads workspace model configuration and can send arbitrary prompts to an external LLM endpoint. In a rebate assistant whose declared purpose is narrow and transactional, this expands the skill's data-exfiltration and capability surface: any future caller can route user content or local context to a third-party model without clear necessity or isolation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using the generic trigger word '教程' can activate the skill in many unrelated conversations, increasing the chance of unintended routing into authorization or account-related flows. In a skill that can query balances and prepare withdrawals, overly broad activation raises the risk of accidental exposure of sensitive account state or unintended action prompts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Routing any shopping-related expression without a link into S03 is overly broad and may cause the skill to send arbitrary user text to search and external intent-recognition services. Because the skill also chains into rebate and account-related workflows, ambiguous routing can expand data exposure and trigger unintended downstream processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documentation describes balance queries and withdrawal preparation/confirmation flows without clearly warning users that financial/account data will be accessed and that actions may affect their funds. Lack of transparent disclosure and consent is risky in a finance-adjacent workflow because users may not realize they are authorizing sensitive account operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code retrieves a bound openId and sends it to multiple backend service calls (`searchProductByLink`, `applyAdzoneLease`, `createRebateLink`) without any visible user-facing notice, consent prompt, or minimization in this flow. Even if the identifier is required for business logic, transmitting a persistent account-linked identifier to external services increases privacy risk and can enable user tracking or cross-service correlation if those services are compromised or over-collect data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal