ClawHub

唯品会用户登录

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do Vipshop QR login as claimed, but it stores reusable account cookies for direct use by other skills.

Review before installing. Use this only if you trust the publisher and the other Vipshop skills that may read the saved session. Treat ~/.vipshop-user-login/tokens.json like a login credential, avoid shared machines, and use logout or delete the file when you no longer want the session reused.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exercises sensitive capabilities including network access, shell execution, environment inspection, and persistent file read/write, yet it declares no explicit permissions or trust boundaries. That makes the skill harder for a host agent or reviewer to sandbox correctly and can lead to silent access to credentials and local state during a login flow.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description says the skill performs a bounded QR login flow and stores tokens, but the document also describes additional persistence, device fingerprint storage, pending-login state, QR image file management, record listing/logout operations, and version/update guidance. This mismatch undermines informed consent and review: a user or orchestrator may invoke a 'login' skill without realizing it also creates extra local artifacts and operational capabilities.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide explicitly instructs other skills to read persisted authentication cookies from ~/.vipshop-user-login/tokens.json and reuse them for authenticated requests. That expands a QR-login skill into a general shared credential provider, enabling unrelated skills to act as the user against Vipshop APIs without any documented scope restriction, consent boundary, or access control.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The TokenManager example formalizes authenticated session reuse as a supported integration pattern, effectively turning this login skill into an authentication broker for arbitrary Vipshop operations. In the context of a skill whose stated purpose is only QR login, this broadens capability beyond the declared function and increases the chance of privilege misuse by other local skills or components.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The full user-info retrieval example demonstrates a concrete non-login use of the stored login state, normalizing use of the skill as a gateway to account data access rather than just authentication. This is dangerous because it makes account-bound data retrieval easy to replicate across other skills without additional controls, auditing, or notice to the user.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module persists a device identifier to ~/.vipshop-user-login/device.json even though the skill metadata says login state will be stored in ~/.vipshop-user-login/tokens.json for reuse by other skills. Persisting an additional stable identifier expands the amount of state retained on disk, creates extra cross-session/cross-skill tracking surface, and may surprise users or downstream consumers that rely on the manifest’s narrower storage disclosure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`stop_poll()` sets a stop event and joins the thread, but the polling loop in `poll_until_complete()` never checks that event, so polling can continue until timeout or a terminal login state. In a login workflow this can keep handling authentication state longer than intended, causing unwanted network activity and prolonging exposure of sensitive session transitions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad, including not only direct user login requests but also cases where other skills decide the user is 'not logged in' and should be guided into this flow. In an agent ecosystem, that can cause unexpected automatic invocation of a credential-handling skill, increasing the chance of phishing-like prompts, unwanted network traffic, or accidental token creation.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation shows how to read locally stored authentication cookies and send them to remote Vipshop endpoints, but does not warn that these cookies are sensitive credentials or explain the privacy implications of transmitting them. In a multi-skill environment, omission of such guidance increases the risk that developers will reuse account credentials broadly and expose user session data without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code prints the `qr_token` directly during polling, exposing a sensitive login artifact in stdout/logs. Because this skill manages QR-based account login and persists login state for reuse by other skills, leaking the token increases the risk of session hijack, unauthorized login completion, or credential/session abuse by anyone with log access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`StatusResult` stores the raw HTTP response object, which may contain cookies, headers, redirect details, and other session-bearing data from the login flow. In the context of an authentication skill that saves login state for later reuse, retaining full response objects unnecessarily expands the attack surface for accidental disclosure, unsafe serialization, or downstream misuse of session material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This module persists live authentication cookies to ~/.vipshop-user-login/tokens.json on disk, which creates a real confidentiality risk if the host is shared, backed up insecurely, malware is present, or the file path is exposed through other local compromise. Although the code attempts to restrict permissions to 0700/0600, the cookies are still stored in plaintext and there is no user-facing consent, warning, or use of an OS-backed secret store, which is significant in a login skill whose purpose is to establish reusable authenticated sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists the pending qrToken to ~/.vipshop-user-login/pending_login.json without any explicit permission hardening or user disclosure. If another local user or process can read that file, they may reuse the token to poll login state and potentially complete or interfere with the authentication flow, especially because the skill is designed around a split non-blocking login process.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
94% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
93% confidence
Finding
qrcode>=7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
97% confidence
Finding
Pillow>=9.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
90% confidence
Finding
packaging>=21.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
86% confidence
Finding
requests

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
91% confidence
Finding
Pillow

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal