ClawHub

唯品会商品搜索

Security checks across malware telemetry and agentic risk

Overview

This Vipshop shopping skill is mostly purpose-related, but it automatically installs or runs login-related components and uses stored account tokens in ways users should review first.

Install only if you trust this publisher and are comfortable with the skill using a stored Vipshop login session. Review the separate `vipshop-user-login` and `vipshop-product-detail` skills before allowing this skill to install or run them, and treat generated product links as account-sensitive because they may contain token-derived login data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation instructs the agent to read local login state, potentially write local state, and make networked requests, but it declares no permissions. This creates a transparency and consent problem: users and host platforms cannot accurately assess or constrain what the skill can access before it runs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is more than a simple product-search skill: it also relies on local token extraction, constructs exchange-token login links, uses a built-in signing secret, and persists device identifiers. Those hidden behaviors materially expand the trust boundary and could expose authentication material or enable session-bearing links to be generated without the user understanding that account-linked data is being reused.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The README instructs the agent to install another skill (`vipshop-user-login`) at runtime, which expands capabilities beyond product search into package management and account-authenticated actions. Automatic dependency installation is dangerous because a missing-skill condition can trigger unreviewed code acquisition and execution without explicit user approval.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill broadens its role from product search into product-detail retrieval by invoking a separate skill/script, increasing privilege and behavioral scope beyond the declared purpose. Cross-capability expansion is risky because users and policy may allow a search skill while not expecting it to trigger additional code paths and network operations in another component.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The README tells the agent to execute a sibling skill's script directly via a relative path (`../vipshop-product-detail/scripts/detail.py`), bypassing normal skill isolation and trust boundaries. Direct cross-directory script execution can let one skill chain into arbitrary local code, making review, sandboxing, and permission scoping much harder.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Repeated instructions to auto-install `vipshop-user-login` normalize self-provisioning behavior and create multiple paths for acquiring extra code during execution. In a shopping skill, this is especially unsafe because it combines package installation with authenticated login flow, raising the chance of silent capability escalation.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This script adds functionality beyond the stated skill purpose of product search by generating authenticated exchange-token links that leverage the user's login state. While not automatically malicious, this expands the attack surface and creates a mechanism to transform local authentication material into navigable URLs, which is security-sensitive and insufficiently justified by the declared capability.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code reads a local PASSPORT_ACCESS_TOKEN from the user's token store and repackages it into a signed exchange URL. This is dangerous because it operationalizes a sensitive credential for downstream use without strong access controls, creating opportunities for session misuse, unauthorized account access via generated links, or credential exposure through logging, sharing, or unintended invocation paths.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code persists a device identifier under the user's home directory even though the skill is described as a search utility. This creates undocumented local state and tracking data, which can exceed user expectations, broaden privacy risk, and leave residual identifiers on disk that other local processes or future runs can reuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README directs the agent to automatically install and invoke a login skill without obtaining explicit user confirmation or presenting a strong warning about authenticated account activity. This is dangerous because it can initiate account-linked actions and code acquisition in response to a simple shopping query, exceeding reasonable user expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates automatic continuation from detecting no login, to launching login, to resuming search, all without a sufficient warning boundary for account-authenticated network activity. This reduces user control over sensitive actions and can cause the agent to act with stored credentials or session tokens without deliberate consent at the time of use.

Vague Triggers

High
Confidence
88% confidence
Finding
The trigger conditions are extremely broad and cover many generic shopping-related intents across multiple platforms, making accidental activation likely. In this skill, accidental activation is more dangerous than usual because activation can cascade into login-state checks, local file access, network requests, and even automatic installation or execution of another skill.

Vague Triggers

High
Confidence
85% confidence
Finding
The overview repeats broad activation language without boundaries, reinforcing a pattern of over-triggering. Because this skill can initiate authentication flows and use local tokens, the lack of strict activation criteria increases the risk of unintended account-affecting behavior from casual shopping-related prompts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly tells the agent to inspect a local token file and automatically launch a blocking login flow when not authenticated, without requiring a fresh user confirmation at the moment of action. That combination of local credential-state probing plus autonomous auth flow initiation is security-sensitive and can surprise users or be abused by prompt-triggered activation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically installing and executing a dependency skill or fallback script is a significant supply-chain and execution risk, especially when done without prominent warning or confirmation. A broadly triggered skill that can self-install and run additional components materially increases the chance of unintended code execution in response to ordinary user prompts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script accesses a sensitive authentication token from a local credential file during normal execution without any user-facing disclosure or runtime consent. In the context of an agent skill, silent access to stored login state is risky because users may believe they are only performing product search, not authorizing the skill to consume local account credentials for link generation.

Ssd 3

Medium
Confidence
83% confidence
Finding
The instruction to remember prior search results for later detail lookup introduces session-state retention of user-derived and account-derived shopping data across turns. While limited in scope, retaining result context without minimization or lifetime controls can expose prior user activity unexpectedly, especially in shared or mixed-session environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal