Security audit

唯品会商品详情

Security checks across malware telemetry and agentic risk

Overview

This Vipshop product-detail skill needs review because it reads local login tokens, can auto-install/run a login helper, and can display session-bearing auto-login links.

Review carefully before installing. Use only if you are comfortable with the skill reading Vipshop login tokens from your home directory, sending session cookies to Vipshop, installing or invoking a separate login skill, and producing auto-login links that should be treated like sensitive session material. Do not share generated exchange-token links.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (16)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The README broadens a product-detail lookup skill into an orchestrator that installs and invokes a separate login skill, which changes the user's environment and expands trust boundaries beyond the declared purpose. This creates a supply-chain and privilege-escalation risk because a simple lookup request can trigger installation and execution of another component with access to authentication material.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Automatically running `clawhub install vipshop-user-login` on behalf of the user is risky because it performs an unprompted environment modification and fetches executable content from an external source. If the package is replaced, compromised, or unexpected, a benign product query becomes a path to arbitrary code or credential-handling behavior the user did not approve.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Requiring blocking orchestration of an external login skill turns this skill into a session manager that controls authentication flow and waits for user login completion before proceeding. This is dangerous because it couples unrelated capabilities and allows a product lookup to drive authenticated actions across skills using credentials the user may not realize are being consumed.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to install another skill via clawhub as part of normal execution. Allowing a content file to trigger dependency installation expands the trust boundary and can lead to unreviewed code being fetched and executed, which is outside the expected scope of a product-detail lookup.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The fallback path tells the agent to execute another skill's login script directly from a relative path. This is cross-skill code execution without isolation or provenance checks, enabling unintended execution of external code and broadening the attack surface beyond the declared function of the skill.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The documented workflow expands a simple product-detail skill into an orchestrator that checks login state, installs dependencies, triggers login flows, and waits in blocking mode. This broader operational scope increases privilege needs and creates more opportunities for unsafe actions than users would expect from a read-only shopping detail query.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The code generates a login/exchange-linked product URL via build_product_link(brand_id, product_id), which can embed account-context capability beyond simple read-only detail retrieval. In this skill’s context, that increases the chance that the returned link carries authenticated state or can be used to pivot into actions tied to the user session, which is more sensitive than merely displaying product metadata.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code hardcodes a secret signing key used to produce authenticated exchange-token URLs. Embedding such a secret in source code allows anyone with code access to mint valid signatures, enabling abuse of authenticated link generation and potentially unauthorized access or session bridging beyond the intended product-detail use case.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instructions tell the agent to install and invoke a login skill automatically without a clear upfront warning that the system will modify the environment and initiate a login process. Lack of informed consent increases the chance of surprise authentication prompts, unwanted software changes, and unsafe approval by users who think they requested only a read-only detail lookup.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states it will read `~/.vipshop-user-login/tokens.json` to validate login and use that state for authenticated requests, but it does not provide a clear privacy/security warning about accessing local credential material. Silent reliance on stored tokens can surprise users and normalize agent access to sensitive files without explicit authorization.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the AI to display auto-login exchange-token URLs directly to the user without warning. These URLs are authentication-bearing artifacts; exposing them verbatim can leak session-derived access, enable unintended account access if copied or logged, and spread sensitive tokens into chat histories and downstream systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends the user’s PASSPORT_ACCESS_TOKEN cookie to remote VIPShop APIs to fetch product details, but the skill description does not clearly disclose that authenticated session material will be transmitted as part of the request. Even if this is functionally necessary, hidden use of login cookies is privacy-sensitive and can surprise users, especially since the skill is framed as product-detail lookup rather than account-context API access.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads a sensitive local authentication token from ~/.vipshop-user-login/tokens.json and silently uses it to construct exchange links. Accessing and reusing bearer-style authentication material without explicit user disclosure or strong scoping increases the risk of credential misuse, token exfiltration through downstream URLs, and unintended cross-skill privilege use.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The README instructs the agent to inspect a local token file and then use those credentials to continue actions on the user's behalf, which is a sensitive delegation pattern. Even if intended for convenience, it expands agent access to authentication artifacts and can enable unintended authenticated requests without granular user approval.

Ssd 3

High

Confidence: 99% confidence
Finding: The instructions require revealing authenticated exchange-token product links directly in model output. Because these links appear to embed or derive from local login credentials, disclosing them can expose session access to anyone with the transcript or any system that stores chat logs, making this a direct credential/secret leakage issue.

Ssd 3

High

Confidence: 99% confidence
Finding: This section repeats the instruction to show authenticated exchange-token links without distinction, normalizing the exposure of sensitive login-derived URLs. Repetition increases the chance the agent will comply and makes accidental credential leakage more likely across ordinary product-detail interactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.