ClawHub

淘宝返利

Security checks across malware telemetry and agentic risk

Overview

This rebate skill appears functional, but it needs review because it handles account withdrawals and sends shopping text to external model providers without clear user-facing disclosure.

Install only if you trust the publisher and are comfortable with the skill storing WeChat-linked identifiers locally, contacting its rebate backend for account and withdrawal operations, and using your workspace model provider to process shopping queries. Treat withdrawal confirmations as real money/account actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation exposes shell execution, network access, and environment usage, but no permissions are declared. That creates a transparency and policy-enforcement gap: operators and users cannot accurately assess what the skill can do, while the implementation can still make outbound requests, invoke local scripts, and access runtime secrets. In this skill, those capabilities are meaningful because it handles authorization, withdrawals, and external API calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared behavior says the skill only handles three rebate-related scenarios, but the documented implementation also performs account balance checks, authorization/binding status queries, withdrawal preparation/confirmation, local persistence of identifiers and pending requests, and LLM-backed intent recognition. This mismatch undermines informed consent and security review, and it materially increases the sensitive data and financial-action surface beyond what the top-level description suggests.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This utility file contains a general-purpose LLM invocation helper that loads provider configuration, sends prompts to an external model endpoint, and returns parsed JSON, even though the skill description is narrowly scoped to rebate flows. In a rebate assistant context, hidden generic model access increases data exposure risk because user content and system prompts may be sent to third-party model providers without clear necessity or strict scope controls.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The S03 trigger rule routes any message expressing a shopping need into product search, but it does not define strong exclusions or ambiguity handling. Overly broad activation can misroute unrelated conversation into search/API flows, causing unintended external requests, unnecessary data disclosure, or confusing transactional behavior in a skill that also handles rebates and user state.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Several S01 triggers, such as generic words like '教程' or '账户余额', are common conversational phrases and may collide with unrelated user messages. In a skill that can query account state and initiate withdrawal flows, loose keyword triggering increases the risk of accidental entry into sensitive account or financial workflows without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The model request sends both system/user prompts and a bearer API key to an external `/chat/completions` endpoint, with no evidence in this code of user disclosure, consent, redaction, or destination restrictions. In a skill that may process shopping intent, account-related text, or authorization context, this can leak sensitive user data and operational prompts to a third-party service.

Missing User Warnings

High
Confidence
87% confidence
Finding
This function performs a sensitive financial action by directly submitting a withdrawal request with only openid and amount, with no validation, step-up verification, idempotency guard, or evidence of server-verified user confirmation in this code path. In an agent skill context, a mis-triggered intent, prompt manipulation, or abusive caller could initiate unauthorized or erroneous withdrawals if upstream controls are weak.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends raw and cleaned user shopping messages to an external model via requestModelJson, and this file shows no user-facing notice, consent gate, or minimization before transmission. Shopping requests can contain personal preferences, gift targets, budgets, or other sensitive behavioral data, so undisclosed third-party model sharing creates a real privacy and data-governance risk even if the feature is functionally intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends raw user query text and derived heuristic context to an external model via requestModelJson without any visible consent flow, warning, minimization, or masking in this file. Product queries can include personal preferences, gift targets, budget, and potentially pasted identifiers, so forwarding them to a third-party model creates a real privacy and data-governance risk even if not an exploit in the classic sense.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal