Xianyu Sam Order

Security checks across malware telemetry and agentic risk

Overview

This is a small ordering-help skill that asks for sensitive account details, but the behavior is disclosed, purpose-related, and not shown to transmit or misuse them.

Prefer the manual ordering flow. Only add XIANYU_COOKIE or SAM_PHONE if you understand that a session cookie may grant access to your account; keep the .env file private, avoid sharing the workspace with untrusted skills, and remove or rotate the cookie when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to place a Taobao/Xianyu cookie and phone number into ~/.openclaw/workspace/.env without warning that these are sensitive credentials. Cookies can enable account takeover or session hijacking if exposed, and storing them in a predictable local path increases the chance of accidental leakage through logs, backups, repo commits, or other skills.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal