ClawHub

咸鱼自动发货

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it needs review because it can use a logged-in marketplace browser session to automatically send messages and fulfillment keys with weak safeguards.

Install only if you are comfortable with unattended automation acting through your Xianyu account. Use a dedicated browser profile and test account, avoid storing or logging real keys in plaintext, review any my-fulfillment.sh script before running it, disable external API/notification templates unless you trust the endpoint, and add human confirmation or a dry-run mode before live auto-delivery.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The customization section explicitly encourages arbitrary Python execution and shelling out from the fulfillment hook, turning a browser automation skill into a general code-execution surface. In a skill context, this is dangerous because downstream users may paste or reuse untrusted fulfillment scripts that gain access to environment variables, local files, and authenticated browser-driven workflows.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documentation introduces AppleScript/system-dialog automation for file upload, which expands control from the browser into operating-system UI automation. That is risky because OS-level keystroke/dialog control can interact with unintended windows, expose local paths, and be repurposed for actions unrelated to fulfillment.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The notification examples add outbound messaging channels that are not essential to core fulfillment and include buyer/order data and potentially secrets such as keys. This broadens the data-exfiltration surface and increases the chance that sensitive order information is sent to third-party services without adequate review.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script uses `source "$FULFILLMENT_SCRIPT"` to load and execute a local shell hook with the full privileges of the monitoring process. Because sourced shell code runs in-process and can execute arbitrary commands, a modified or malicious `my-fulfillment.sh` can do far more than fulfillment orchestration, including reading local files, stealing browser profile data, or running destructive commands. In this skill context, that extensibility materially increases risk because the workflow already has access to a real Chrome profile and live commerce session.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The quickstart explicitly describes an automated workflow that sends fulfillment keys into buyer chat after payment detection, but it does not clearly warn users that the agent will perform outbound account actions on their behalf. In the context of a marketplace account, silent automation can cause accidental disclosures, unintended deliveries, or policy/account-enforcement issues if detection is wrong or the script misfires.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to place sensitive fulfillment keys in a local plaintext file (`keys.txt`) and use them for automatic delivery, but it does not warn about the confidentiality and integrity risks of storing sellable credentials unencrypted. If the workstation, repo directory, logs, backups, or neighboring scripts are accessed, the keys can be stolen or prematurely consumed without detection.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes a sub-agent that checks messages every minute and automatically fulfills paid orders, but it does not present a strong, explicit warning that the agent may send messages and complete transactions on the user's behalf without per-action confirmation. In the context of browser automation tied to a real marketplace account, this can lead to unintended deliveries, mistaken order handling, or unauthorized actions if detection logic is wrong or the agent is misconfigured.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to run automation against their real Chrome profile, which exposes all cookies, authenticated sessions, browsing context, and potentially other sensitive account data to the automation environment. Without a clear privacy and account-safety warning, users may unknowingly grant broad access to personal or commercial accounts, increasing the risk of account takeover impact, unintended cross-site actions, or leakage of sensitive session data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API delivery workflow sends buyer and product information to an external endpoint but does not warn about privacy, retention, or trust implications. This is dangerous because order context may contain personal or commercially sensitive data, and users are not informed that fulfillment can involve third-party processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The monitoring workflow uses an existing Chrome profile/session for automation but does not adequately warn that this grants the skill access to authenticated browsing state. That is dangerous because compromise or misuse of the automation flow can expose session cookies, messages, account data, and other sites linked to the same profile.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The metadata description advertises broad browser-based automation for monitoring chats and sending virtual goods, but it does not define clear trigger conditions, target scope, or safety boundaries. In an automation skill that can watch messages and act on payment detection, vague scope increases the risk of unintended autonomous actions, abuse against marketplace accounts, or delivery to the wrong party if invoked in the wrong context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script appends each issued secret key in plaintext to a local log file. If the host is compromised, shared, backed up insecurely, or readable by other users/processes, previously delivered keys can be recovered and reused, directly exposing customer secrets and inventory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits buyer nickname, product title, and order time to an external API without any explicit user notice, consent flow, or data-minimization controls. In a fulfillment automation context, this creates a real privacy and data-governance risk because order metadata is sent off-platform to an arbitrary configured endpoint.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script echoes the user's secret key back to the terminal in plaintext, which can expose sensitive fulfillment credentials to shoulder-surfing, terminal logging, shell history capture tools, or recorded sessions. In this skill's context, the key is intended to be delivered to buyers, so accidental disclosure can lead to unauthorized reuse, resale, or loss of inventory.

Missing User Warnings

High
Confidence
99% confidence
Finding
The generated monitor script automatically sends the configured secret key when it detects a payment phrase, without a confirmation step or strong validation that the detected context is the intended buyer/order. Because this skill automates chat interaction on a marketplace, a false positive, UI mismatch, or manipulated page state could cause secrets to be sent to the wrong conversation or before payment is actually verified.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script assembles a task for an autonomous browser agent to monitor marketplace messages and trigger a fulfillment flow when a payment card is detected, but it does not require explicit operator confirmation, scope limits, or safety interlocks before acting on real buyer conversations/orders. In the context of an auto-fulfillment skill for Xianyu, this increases the chance of unintended order handling, misdelivery, or abusive automation against a live marketplace account if the monitor is launched as-is.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script irreversibly removes a key from the active pool and appends it to a used-keys ledger immediately, with no transactional safety, operator confirmation, or rollback if later steps fail. In this fulfillment context, browser misclassification, send failures, or race conditions could consume inventory incorrectly and cause accidental key loss or duplicate support incidents.

Missing User Warnings

High
Confidence
94% confidence
Finding
This code automatically sends a secret key to a chat recipient based only on simple text matching in the page snapshot, without robust payment verification, recipient/order binding, or human approval. In a virtual-goods fulfillment skill, that makes unauthorized or mistaken delivery highly plausible, directly exposing paid inventory and potentially leaking secrets to the wrong buyer or to spoofed/system-generated messages.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script automatically removes a key from the local key pool and appends it to a used-keys file without any confirmation, locking, validation, or audit protections. In an automation context handling virtual goods, this can cause silent inventory depletion, accidental loss of deliverable assets, or corruption/race conditions if multiple instances run concurrently.

Missing User Warnings

High
Confidence
91% confidence
Finding
The script retrieves a secret key, logs it in plaintext, and sends it through browser automation without verifying the active chat, payment status, recipient identity, or delivery success. In this skill context, which is explicitly designed for automated virtual-goods fulfillment, that makes accidental disclosure or delivery to the wrong buyer materially more dangerous because secrets are the product itself and cannot be revoked once exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal