ClawHub

uupaotui

Security checks across malware telemetry and agentic risk

Overview

The skill is a real delivery-ordering integration, but it grants high-impact order, payment, cancellation, and tracking authority with weak confirmation and under-disclosed data sharing.

Review this skill before installing. Use it only if you are comfortable giving it order-management access for UU跑腿, and require explicit final confirmation before creating or cancelling any order. Avoid shared terminals/logging when tracking orders, and be aware it may store your openId locally and contact third-party IP and QR-code services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Scope Creep

Medium
Confidence
98% confidence
Finding
The documentation instructs use of undeclared environment variables such as UUPT_APP_ID, UUPT_APP_SECRET, and UUPT_OPEN_ID even though the manifest says env: []. That creates a hidden secret-handling path: the skill may access sensitive credentials outside the declared permission model, undermining auditability and increasing the risk of accidental secret exposure or policy bypass.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill sends the payment URL to a third-party QR code generation service and downloads the resulting image. That unnecessarily discloses sensitive payment/order-linked data to an unrelated external provider outside the stated delivery workflow, creating privacy leakage and possible payment-link exposure if the URL contains tokens or order identifiers.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The registration flow queries multiple unrelated public IP-discovery services, disclosing that the user is using the skill and leaking metadata to several third parties. This broadens external data exposure beyond the delivery provider and increases tracking, correlation, and reliability risks if those services are compromised or return manipulated results.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger description matches very broad everyday phrases like '帮我', '送', or '取', which can cause the skill to activate in conversations that are not actually intended to place or manage delivery tasks. In this skill's context, accidental activation is more dangerous because it can lead directly into quoting, registration, or even order-creation flows involving personal data and potential charges.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to create orders immediately after pricing and states '无需二次确认', which removes a critical consent checkpoint before triggering a real-world commercial action. In a delivery/purchasing context this is especially dangerous because mis-parsed requests, prompt ambiguity, or malicious conversation injection could cause unintended orders, charges, disclosure of phone/address data, or physical dispatches to real locations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function queries multiple third-party services to discover the user's public IP, which necessarily discloses the user's network metadata to external parties without explicit user consent or notice. In a delivery skill, IP address collection may support registration or fraud controls, but silently sending it to unrelated IP-lookup providers creates unnecessary privacy exposure and expands the data-sharing surface.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs an irreversible, state-changing action immediately after parsing command-line input, with no confirmation step, dry-run mode, or secondary verification. In a delivery skill where cancellations can incur fees, disrupt fulfillment, or affect customers and couriers, accidental or scripted misuse can cause financial and operational harm.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script prints personally identifiable information and live location data for the driver, including name, phone number, coordinates, and distance, directly to stdout with no masking, consent check, or audience restriction. In a delivery-tracking context, this data is privacy-sensitive and could be exposed through terminal logs, shared sessions, CI output, or misuse by unauthorized operators, enabling stalking, harassment, or improper disclosure of courier information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal