唯品会技能集

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Vipshop shopping assistant, but it asks for broad automatic login, installation, and stored account-token reuse that users should review carefully.

Install only if you are comfortable logging into Vipshop through this skill and having its subskills store and reuse a local Vipshop session. Review the automatic login/install behavior, avoid using it for generic shopping requests unless you explicitly want Vipshop results, and clear `~/.vipshop-user-login/tokens.json` when you no longer want the session available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (59)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The helper reads a persistent login token from a fixed file in the user's home directory in order to construct authenticated exchange links. That expands the skill's effective privilege from simple link generation into credential access, and it does so silently in normal operation. In an agent-skill context, this is dangerous because another part of the skill can cause account-bound links to be generated without explicit user awareness, increasing the chance of unintended session use or token misuse.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The README instructs the agent to automatically install and invoke another skill (`vipshop-user-login`) and continue execution in blocking mode. That expands the trust boundary from a product-detail lookup into software installation and cross-skill orchestration without an explicit, per-action user authorization step, which can lead to unintended code execution paths or abuse of agent privileges.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as a product-detail lookup, but its instructions expand behavior to automatically install and invoke a separate login skill and run an external login script. That materially broadens the execution scope beyond the declared purpose, increasing the chance of unexpected code execution and privilege use without clear user consent.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Automatically installing another skill is not necessary for a simple product-detail query and introduces supply-chain and environment-modification risk. A documentation-defined query skill should not be able to change the host system or extend its capabilities without an explicit trust boundary and user approval.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The documentation authorizes execution of an external login script in blocking mode, which is outside the narrow purpose of fetching product details. This creates a path for arbitrary local code execution and interactive authentication handling under the guise of a read-only shopping query.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The tool is documented as a product-detail query utility, but it also generates an exchange/login-style product link via `build_product_link`. That expands the capability from passive retrieval into account-contextual navigation or session-bearing redirection, which can enable unintended authenticated flows or tracking beyond what a user would expect from a detail viewer.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code reads persistent login tokens from `~/.vipshop-user-login/tokens.json`, giving a product-detail tool access to stored authentication material unrelated to its minimal stated purpose. This creates a privacy and session-security risk because local credentials are silently reused for remote requests, broadening the blast radius if the skill is misused or modified.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code reads a persisted PASSPORT_ACCESS_TOKEN from the user's home directory and uses it to construct an authenticated exchange link, even though this helper is framed as a product-detail link builder. Accessing local login state broadens the skill's privilege beyond simple product URL generation and creates an implicit authentication dependency that is not apparent to the user.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The README broadens a product-search skill into an orchestration layer that checks login state, triggers authentication, waits for completion, and resumes actions automatically. That scope expansion is risky because it turns a simple search flow into an agentic workflow with access to local credentials and account state, increasing the chance of unintended sensitive actions or privilege creep.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Automatically installing another skill (`clawhub install vipshop-user-login`) introduces unreviewed code and new capabilities at runtime without explicit user approval. This is dangerous because a benign-looking search request can trigger package installation and execution, expanding trust to additional components that may access credentials or perform account actions.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The README instructs the AI to inspect `~/.vipshop-user-login/tokens.json` to determine whether the user is logged in, which requires reading a local credential store. Accessing local token files from a search skill is sensitive because it normalizes credential inspection outside a tightly scoped auth component and may expose authentication material or metadata to unintended code paths.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to install another skill and execute external commands as part of handling a normal product-search request. This expands the skill's effective privilege and attack surface beyond search, enabling unexpected code paths and cross-skill chaining without clear user consent or trust boundaries.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is presented as a product-search capability, but it also directs the agent to retrieve product details via a separate skill or script. This hidden scope expansion can bypass user expectations and security review assumptions, especially if the detail path has different permissions, data access, or side effects.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script reads a persistent login token from the user's home directory and uses it to mint authenticated exchange links, even though this file is framed as a product-search helper. That creates an unnecessary credential-access path and couples a low-privilege shopping/search function to account-authenticated behavior, increasing the blast radius if the skill is misused or modified.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The module creates and persists a device identifier in the user's home directory, which introduces local tracking state beyond a transient search helper. In a shopping skill this may be operationally useful for maintaining a stable client identity, but it still expands data persistence and fingerprinting surface without clear disclosure or lifecycle controls.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The code and comments describe the transform as 'secure encryption,' but the implementation is only a deterministic checksum-like character replacement and provides no confidentiality. This is dangerous because developers or downstream users may treat the resulting value as protected or tamper-resistant when it is easily reproducible and reversible in effect.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically install another skill via `clawhub install vipshop-user-login` as part of a normal promotion-query flow. That expands capabilities and changes the local environment without explicit user consent, creating a supply-chain and privilege-escalation risk that is not justified by simply querying promotions.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill directs execution of `../vipshop-user-login/scripts/vip_login.py --blocking`, an external script outside the current skill boundary. Executing cross-skill code for a promotion lookup unnecessarily broadens execution scope and could run unreviewed or unexpected code paths, especially if the referenced skill has been modified or replaced.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documentation expands a QR-login skill into broader uses like accessing user data, data collection, and using a real user identity. That broadening encourages use of saved authentication for secondary purposes beyond the immediate login action, increasing privacy, consent, and abuse risk if other skills or operators reuse the session.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The module stores and returns the full `requests.Response` object in `StatusResult`, and the inline comment explicitly states it is kept for cookie extraction. In a login QR polling flow, that response can carry authenticated session cookies or other sensitive headers, so exposing it beyond the minimal polling boundary unnecessarily increases the chance of session theft or misuse by downstream code.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The module is presented as a status poller, but the implementation preserves raw HTTP responses specifically for later cookie extraction, expanding it from passive status checking into handling authentication material. In the context of an e-commerce login skill, that scope creep is dangerous because it blurs trust boundaries and can enable hidden capture or propagation of login session data.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation description is broad enough to match generic shopping, price-comparison, and cross-platform commerce requests, causing the skill to trigger outside a narrowly defined Vipshop context. Overbroad triggering can route unrelated user requests into a skill that performs automatic login and external requests, increasing the chance of unintended account actions or unnecessary data exposure.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The overview repeats expansive trigger conditions without clear limits, reinforcing that the skill may activate for a wide range of e-commerce intents rather than only well-scoped Vipshop tasks. In context, this is more dangerous because the skill also documents automatic login and shared session use, so an accidental activation can have side effects beyond simple content retrieval.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation states that all sub-skills can automatically trigger login, wait for completion, and reuse a shared login state stored on disk, but it does not give a clear, prominent warning about session persistence, cross-skill reuse, or automatic account-linked actions. This can surprise users into authenticating and persisting tokens locally without informed consent, increasing risk of session misuse, privacy leakage, or unintended operations under their account.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to match common shopping language, which can cause unintended activation of a skill that expects local image handling and account-backed Vipshop operations. In context, accidental activation is more concerning because the skill may then prompt for or process local image paths and initiate login-dependent flows, increasing the chance of privacy-invasive or confusing behavior without clear user intent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal