ClawHub

返利宝

Security checks across malware telemetry and agentic risk

Overview

This rebate skill matches its stated shopping-rebate purpose, but it needs review because it handles account identifiers, withdrawals, external model calls, and local persistence with limited scoping disclosure.

Review before installing if you are comfortable letting this skill store your rebate account binding locally, send shopping text and product links to rebate/model services, and submit withdrawal requests after a confirmation phrase. It is not artifact-backed malware, but its account and privacy behavior deserves explicit user consent and clearer retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell scripts, uses environment data, and communicates with remote services, but the skill metadata does not declare any permissions or capabilities. This creates a transparency and governance gap: reviewers and runtime policy engines cannot accurately assess or constrain what the skill is allowed to do, increasing the chance of unintended network access, data handling, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented scope says the skill only handles three user scenarios, but the implementation also performs account/binding checks, balance queries, withdrawal preparation and confirmation, persistence of authorization and pending requests, and calls multiple remote APIs. This mismatch is dangerous because it conceals sensitive state handling and financial/account actions behind an underspecified interface, preventing users and reviewers from understanding the real security and privacy impact.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This file includes a generic LLM client that loads model provider configuration and sends prompts to an arbitrary external chat-completions endpoint, which is not necessary for a simple rebate helper unless tightly constrained elsewhere. That introduces a powerful exfiltration and prompt-injection sink: future code can send user messages, local state, or identifiers to a third-party model service without meaningful purpose limitation or consent in this module.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper allows callers to disable TLS certificate validation by setting `insecure`, which permits man-in-the-middle interception of supposedly secure HTTPS traffic. In a rebate/search skill that may contact external commerce services and handle account or affiliate data, this capability is unnecessary and materially weakens transport security.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The S01 operation-guide module does more than authorization and tutorials: it prepares and submits real withdrawal requests via `buildWithdrawPrepareResponse` and `buildWithdrawConfirmResponse`, including balance checks, pending withdrawal state, and `applyWithdraw`. This expands a low-risk guidance flow into a money-moving flow, increasing the chance of unauthorized or unintended financial actions if routing, prompting, or confirmation handling is confused or abused.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The operation-guide module resumes pending S02/S03 rebate flows after authentication by loading stored requests and dispatching into `m02PlatformLink` or `productSearch`. This breaks intended separation of duties and can cause users or reviewers to underestimate what S01 is able to trigger, especially when post-auth execution happens automatically.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad everyday phrases such as '教程', '返利', and '账户余额', which can match normal conversation outside the intended rebate workflow. Overly broad activation can cause the skill to run unexpectedly, potentially sending user text to backend services or entering account-related flows without clear user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing rule '没有链接,但用户表达购物需求时,进入 S03' is underspecified and can capture a wide range of ambiguous shopping-related language. In this skill context, misrouting is more dangerous because S03 leads into product-search processing and downstream service calls, which may expose user messages to external systems or produce unintended commercial actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code reads a provider API key from local configuration and transmits it in Authorization headers to a configured external endpoint. While server-side API key use is normal, this module provides no host allowlisting, secret-scoping, or disclosure controls, so a compromised or misconfigured baseUrl could cause credential exposure to an attacker-controlled service.

Missing User Warnings

High
Confidence
98% confidence
Finding
Optional insecure HTTPS mode disables certificate verification and provides no warning or restriction, allowing active attackers to spoof remote servers and read or alter traffic. Given the skill's rebate/tutorial/search context, this is more dangerous because users may trust links, balances, or authorization-related responses delivered over compromised connections.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code builds user-facing rebate detail URLs containing `openid` as a query parameter. Exposing account-linkage identifiers in URLs can leak through logs, browser history, referrers, screenshots, and shared messages, enabling correlation of a user's account or misuse if the backend treats the identifier as sufficient for access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code sends the user's platform link plus a bound account identifier (openId) to external rebate service functions such as product search, adzone lease, and rebate-link creation, but there is no visible notice, consent step, or data-minimization control in this flow. In a rebate skill this sharing is functionally expected, but the combination of account-linked identifiers and user-submitted URLs can still create privacy and compliance risk if users are not clearly informed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends the raw user message, cleaned message, and extracted heuristic product hints to an external model via requestModelJson without any visible minimization, consent, or disclosure controls in this file. Because user messages may contain personal data, shopping preferences, or pasted sensitive text, this creates a privacy and data-governance risk through unnecessary third-party transmission.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The router stores pending user requests locally together with the raw message, scene, handler, and routing reason before authorization is completed. Because this can include shopping links, product interests, or other potentially sensitive user inputs, persisting it without explicit notice, consent, retention limits, or protection increases privacy and data exposure risk if the local machine or storage is accessed by another user or process.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends both the raw user message and cleaned shopping query content to an external model via requestModelJson, which can expose user-provided shopping interests and possibly embedded personal data to a third-party processor. In a rebate/search assistant context, users may reasonably expect product matching, but not necessarily undisclosed model processing, so the privacy risk is real even if not overtly malicious.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal