ClawHub

uu跑腿

Security checks across malware telemetry and agentic risk

Overview

This delivery skill is not malware, but it needs review because it can place paid real-world courier orders and handles personal/order data with weak confirmation and privacy controls.

Review before installing. Use this only if you intend the agent to handle real UU跑腿 orders, and require a final confirmation that shows addresses, phone number, service note, price, and payment method before any order is placed. Avoid using it on shared machines unless you are comfortable with config.json storing account-linked identifiers or credentials, and be aware that registration and payment QR flows may contact third-party services beyond UU跑腿.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation and manifest indicate capabilities to read environment variables, write configuration files, and make network requests, but it declares no permissions. This creates a transparency and policy-enforcement gap: users and the platform cannot accurately assess what the skill can access, and a compromised or misused skill could handle credentials and personal data without explicit authorization boundaries.

Scope Creep

Medium
Confidence
97% confidence
Finding
The manifest says no environment variables are required, yet the documentation instructs using environment variables for app credentials and user identifiers. This mismatch can lead to hidden secret dependencies, insecure fallback behavior, and improper deployment practices where operators may expose sensitive credentials without platform visibility or review.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill sends the payment URL to a third-party QR code service and writes the resulting image to local disk, which goes beyond the core delivery-order workflow disclosed in the manifest. This can expose sensitive payment/order URLs to an unrelated external service and leaves potentially sensitive artifacts on disk without clear user consent or retention controls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The registration flow queries several unrelated external IP-discovery services to determine the user's public IP. This unnecessarily shares user metadata with multiple third parties and expands the privacy and supply-chain exposure surface beyond the stated delivery provider integration.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger phrases include very broad everyday terms such as '帮我' and common delivery-related verbs, making accidental invocation likely. In this skill's context, accidental activation is especially dangerous because it can lead into workflows that collect personal data and create real-world delivery or service orders with financial consequences.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to create real-world orders immediately after pricing, without a final user confirmation. For a transactional service involving money, courier dispatch, and physical-world actions, this can cause unauthorized purchases, unwanted service execution, and privacy exposure from transmitting addresses and phone numbers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow collects and transmits sensitive personal data including phone numbers, addresses, and potentially location-related service details, but provides no privacy notice or data-handling warning. In a delivery skill, this increases the risk of users disclosing personal information without understanding how it will be stored, shared with the third-party service, or protected.

Natural-Language Policy Violations

Low
Confidence
99% confidence
Finding
The file contains hard-coded API credentials (`appId` and `appSecret`) embedded directly in the skill configuration. Exposed secrets can be extracted by anyone with access to the package or repository and then abused to impersonate the skill, invoke the delivery provider API, place or inspect orders, or consume paid quota tied to the account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints personally identifiable and highly sensitive operational data directly to stdout, including the driver's name, phone number, and real-time coordinates. In a CLI context this can be exposed through shell history, terminal logs, CI/CD logs, screen recording, or shared consoles, creating unnecessary privacy and tracking risk beyond the minimum needed to fulfill the feature.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints full order details and then explicitly surfaces sensitive fields including pickup and destination addresses, rider name, and rider phone number to stdout. In a delivery context this is real personal and location data, and CLI output may be exposed through logs, terminal history capture, screenshots, shared shells, or automation pipelines, so exposing it without masking or an explicit privacy warning creates a meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill transmits requests to multiple IP lookup providers during registration without an explicit privacy notice in the skill description. Even if the service only returns the caller's public IP, contacting multiple third parties reveals user metadata and network information that is not obviously required from the user's perspective.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill persists the acquired openId to config.json on disk without clear upfront disclosure. Because openId is an account-linked identifier used for subsequent authenticated requests, local persistence can create privacy and access risks on shared systems or in poorly protected working directories.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal