ClawHub

腾讯出行服务跑腿 Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Tencent courier-booking workflow, but it needs review because it stores sensitive delivery credentials locally and exposes broad authenticated MCP access beyond tightly scoped courier commands.

Install only if you are comfortable giving this skill a Tencent delivery token, letting it store that token and delivery-session details on disk, and allowing it to book, query, and cancel courier orders through Tencent MCP. Review the generic MCP call surface and the third-party payment QR generation before using it with real payment links or sensitive addresses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exercises sensitive capabilities—shell-driven Python execution, local file access, file writes, MCP/network use, and environment dependence—without declaring permissions or clearly constraining them in the manifest. That mismatch weakens platform trust boundaries and makes it harder for reviewers and runtime policy to assess or limit what the skill can do.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill mandates running a local Python script before any reply, creating an unconditional code-execution path from prompt instructions. Even if the script is intended for workflow orchestration, requiring shell execution without manifest justification or tighter controls increases the risk of arbitrary local code execution, data exposure, and unsafe side effects on the host environment.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The instructions authorize use of a local preferences/address-book file as an input source, which expands the skill from courier booking into local data access. Because address books contain sensitive personal data, this creates privacy and over-collection risk, especially if the user did not explicitly request retrieval from local stored contacts in the current interaction.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script exposes a generic `mcp-call <tool>` entrypoint that forwards any caller-supplied tool name and JSON arguments to the authenticated Tencent MCP backend. In a delivery skill, this breaks intended least-privilege boundaries: an LLM or indirect prompt injection can invoke unrelated MCP capabilities with the user's bearer token, potentially accessing or mutating data outside courier-order workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Forcing shell command execution before any user-visible reply removes an important transparency and consent checkpoint. In this context, the danger is amplified because the skill handles delivery logistics and personal data, yet silently initiates local execution that could access files, environment data, or perform unintended actions without the user's awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs saving address-book entries containing names, phone numbers, addresses, and coordinates after an order, but the file does not require explicit informed consent or a privacy notice before persisting that personal data. In a delivery skill, this creates a real privacy risk because users may believe they are only completing a one-time order while the agent silently retains sensitive contact and location data for future use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to relay a third-party generated payment QR code and fallback payment link directly to the user without any warning that payment data or destination URLs are being handled by external services. In this payment context, blindly rendering externally supplied payment content increases phishing, payment redirection, and unintended data disclosure risk, especially because the template must be pasted verbatim and not rewritten or validated.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes generic acknowledgements like “OK” and “好了”, which commonly appear in ordinary conversation and can cause this payment-confirmation step to activate without an explicit payment confirmation. In a delivery skill, unintended activation can prematurely clear state, advance the workflow, or cause the agent to query order status and present post-payment messaging based on an ambiguous user reply.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly states that `orderSuggestion` may include rider name and phone number and instructs the skill to display it directly to the user. Exposing personal contact details without a privacy check, role check, or data-minimization rule can disclose rider PII more broadly than necessary, especially if the wrong user/session/order is referenced or if order details are shown in a shared context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow instructs saving and deleting a delivery token on the local machine without requiring any user-facing disclosure about where the credential is stored, how long it persists, or what deletion affects. In a skill that handles courier ordering and account-linked operations, this can lead to users unknowingly leaving reusable credentials on disk or losing session state without informed consent.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The instruction that the agent must not reply with anything outside a fixed Chinese template removes the agent's ability to adapt language to the user's preferences or include important safety, privacy, or consent information. While this is not a direct code-execution flaw, it can suppress necessary disclosures during credential collection and increase the chance of user misunderstanding.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
Mandating a Chinese-only interception template without any language choice can prevent non-Chinese-speaking users from understanding why ordering is blocked and what actions are available next. In this delivery skill context, the issue is mainly user comprehension and informed action rather than direct system compromise, so the security impact is limited but real.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal