ClawHub

唯品会技能集

Security checks across malware telemetry and agentic risk

Overview

This Vipshop shopping skill is mostly coherent, but it automatically manages login and reuses stored account tokens, uploads user images, and creates account-linked product URLs in ways users should review before installing.

Install only if you are comfortable using this skill with a Vipshop account. Expect it to save a reusable login token locally, reuse it across the bundled subskills, upload selected image files to Vipshop for image search, and generate product links that may carry login context. Do not share generated exchange-token links, and review or remove ~/.vipshop-user-login/tokens.json when you no longer want the skill to retain access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (59)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code reads a locally stored PASSPORT_ACCESS_TOKEN from the user's home directory and uses it to mint authenticated exchange links, which expands the module's capabilities beyond simple image/product lookup. In a shopping skill, silently converting a local login token into reusable authenticated URLs can enable unintended account-bound actions, session bridging, or token-derived impersonation without clear user awareness or consent.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The documentation says the module only generates signed exchange-token links, but the implementation also retrieves a sensitive login token from disk. This mismatch is security-relevant because it hides credential access from reviewers and users, making risky behavior easier to overlook and harder to audit.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README instructs the agent to automatically run `clawhub install vipshop-user-login`, which expands the skill's authority from product lookup into package installation and execution of additional code. This is dangerous because it introduces a supply-chain and system-modification step without explicit, informed user consent, and a compromised or unexpected dependency skill could gain broader access than the user intended.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs the agent to install and invoke another skill via shell commands and to run a blocking login script automatically. That expands the trust boundary from a simple product-detail lookup into package installation, local command execution, and authentication handling, which creates supply-chain and privilege misuse risk if the secondary skill or installation path is compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads persistent login tokens from the user's home directory and reuses them to perform product-detail requests, even though the advertised capability is product detail lookup and summarization. Reusing local authentication material expands the skill's privilege boundary and creates unnecessary access to session credentials, which could enable account-scoped requests or abuse if the skill is modified, logged, or chained with other behaviors.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code generates a product link with an exchange token, which goes beyond merely fetching and summarizing product details. Tokenized single sign-on or handoff links can transfer authenticated context to downstream destinations, increasing the risk of unintended account access, tracking, or session abuse if the link is exposed to users, logs, or third parties.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads a persistent authentication artifact from the user's home directory and silently repurposes it to build SSO-style exchange links. In a shopping skill, this creates an unnecessary credential-access capability for a utility that should only construct URLs, increasing the blast radius if the skill is invoked unexpectedly or by untrusted workflows.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module creates and persistently stores a per-user device identifier under the home directory, which introduces local tracking/statefulness beyond a simple product-detail lookup helper. In a shopping skill, a device ID may be expected for upstream API compatibility, but silently writing it to disk without clear necessity, retention limits, or user disclosure expands the privacy footprint and creates unnecessary persistent identifier storage.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README instructs the agent to install another skill automatically (`clawhub install vipshop-user-login`) as part of handling a search request. That expands the skill's authority from product search into software/package installation, creating a supply-chain and unexpected side-effect risk without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill requires automatic orchestration of a login workflow before search, including triggering another skill and continuing after authentication. This broadens the skill from search into account/authentication handling, which can cause unintended account actions and normalize credential-adjacent automation beyond the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code reads a local authentication token from ~/.vipshop-user-login/tokens.json and uses it to generate authenticated exchange links, even though this helper is packaged under product-search functionality. That expands the skill from public product lookup into credential-dependent session bridging without explicit consent, creating a risk of silent account-context use and unintended authenticated actions or tracking if invoked by higher-level skill flows.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically install another skill via `clawhub install vipshop-user-login` as part of a promotion lookup flow. This expands capabilities beyond the stated purpose, performs a system-changing action without explicit user approval, and creates a supply-chain risk if the installed dependency is malicious, tampered with, or simply over-privileged.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documentation tells the agent to execute a sibling skill's login script (`../vipshop-user-login/scripts/vip_login.py --blocking`) if the skill call is unavailable. That is dangerous because it crosses trust boundaries, grants the promotion skill a path to trigger credential/session acquisition logic, and authorizes arbitrary local code execution outside the current skill's own files.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code repeatedly describes the transform as 'secure encryption,' but the implementation is only a deterministic checksum-like substitution over a timestamp and random hex string. This can mislead developers into treating mars_cid as protected or confidential data, causing unsafe reuse in contexts where real cryptographic protection or authenticity guarantees are required.

Context-Inappropriate Capability

Low
Confidence
72% confidence
Finding
The client automatically hands a downloaded file to the operating system's default handler, which expands behavior from simple QR retrieval into local program launching. In a skill context, this can surprise users and increase attack surface because the actual program opened depends on local OS associations and may process untrusted image content.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`stop_poll()` sets `_stop_event`, but `poll_until_complete()` never checks that event inside its loop, so asynchronous polling cannot actually be cancelled promptly. In a login-status polling flow, this can leave background requests running after the user abandons the flow, causing unnecessary network activity, stale state handling, duplicate callbacks, and possible continued observation of authentication state beyond the intended lifetime.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description casts an extremely broad trigger surface over generic shopping and price-comparison intents, including users discussing other e-commerce platforms. Overbroad routing can cause unintended activation of a skill that performs login flows, network calls, and stateful actions when the user may have only been asking a general question or comparing options.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The document instructs the AI to automatically select and chain sub-skills for a wide range of shopping requests but does not define clear boundaries for when the skill should not run. In practice, this increases the risk of unintended tool use, including persistent authentication and data-sharing behaviors, without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that login state is stored in a local file under ~/.vipshop-user-login/tokens.json and shared across sub-skills, but this persistence is not prominently disclosed as a privacy and security consequence. Stored authentication tokens can be reused by other local processes, exposed via backups or weak filesystem permissions, and silently extend account access beyond the immediate session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The image-search workflow involves local image upload and remote processing, but the documentation does not clearly warn users that local files may be transmitted off-device. Images can contain sensitive personal content or metadata, so silent or poorly disclosed upload behavior creates privacy risk and potential unintended data exfiltration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples normalize automatic login and continuation of tasks without clearly surfacing to the user that authentication will be initiated and then reused across subsequent operations. This weakens informed consent around account access and can make users unaware that a persistent authenticated state is being established and applied automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill asks for a local image path and later uploads that image to Vipshop endpoints, but the description does not clearly warn users that their local file content will leave the device for remote analysis. This can cause unintended disclosure of personal, sensitive, or copyrighted images because users may not realize a local file upload is part of the operation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documented flow checks persisted tokens in ~/.vipshop-user-login/tokens.json and may automatically trigger login, but it does not clearly warn users that stored account credentials or session state will be accessed and reused. Automatic authentication behavior can surprise users, expand access beyond their expectation, and increase the risk of unintended account actions under an authenticated session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script accesses a sensitive access token from a local token store without any user-facing notice, consent flow, or runtime disclosure. In the context of an e-commerce assistant, this creates a covert authentication bridge from local session state into generated links, which can expose account context and enable misuse if the links are logged, shared, or abused by other components.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends local image contents and user-linked identifiers such as mars_cid and access_token to remote Vipshop endpoints, but there is no user-facing notice, consent gate, or clear disclosure at the point of transmission. In a shopping assistant, uploaded images may contain sensitive personal or contextual information, so silent transmission creates a real privacy and data-handling risk even though it appears functionally intended.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal