Security audit

唯品会商品详情

Security checks across malware telemetry and agentic risk

Overview

This Vipshop detail skill is mostly purpose-aligned, but it should be reviewed because it reads saved login tokens, creates chat-visible auto-login links, and can automatically install or run a login dependency.

Install only if you are comfortable with this skill using your saved Vipshop login, starting the Vipshop login flow, and possibly installing or running the companion login skill. Treat generated exchange-token links like sensitive login material: do not share them, paste them into other tools, or leave them in public logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no permissions, yet its instructions clearly require local file access, network requests, and installation/execution of other components. This mismatch undermines any permission boundary or user understanding of what the skill can do, increasing the chance of unauthorized data access or unexpected system actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill is presented as a product-detail lookup, but it also generates signed auto-login exchange-token URLs tied to the user's authenticated session. That is a materially different and more sensitive behavior because it can expose reusable session-linked access artifacts rather than just product data.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The README tells the agent to automatically install and invoke another skill when the user is not logged in. That expands the capability from viewing product details into modifying the environment and initiating a separate auth workflow without explicit user consent, which can surprise users and increase supply-chain and privilege risks.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documented behavior broadens the skill beyond its declared purpose by orchestrating login checks and automatic login flow instead of limiting itself to product-detail lookup. Scope expansion is dangerous because users may invoke a read-only shopping query skill but end up triggering authentication and environment-changing actions they did not specifically request.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to install another skill automatically via `clawhub install`, which expands its authority from read/query operations into modifying the local environment. Automatic installation creates a supply-chain and privilege-expansion risk, especially when triggered without an explicit user approval step.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documentation tells the agent to execute a Python script from a sibling skill directory, introducing cross-skill code execution outside the stated scope of a product-detail reader. This enables arbitrary behavior inherited from another skill and weakens isolation boundaries between skills.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file does more than product-detail lookup: it reads a locally stored PASSPORT_ACCESS_TOKEN, combines it with a hardcoded signing secret, and generates an authenticated exchange-token login URL. That enables session bootstrap or account-context access through a crafted link, which is materially more sensitive than the skill's stated purpose and increases risk of unauthorized account use or token misuse.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code implements token exchange capability that is not justified by the advertised function of viewing product details. Because it consumes a stored access token and produces a signed passport exchange URL, it creates a hidden authentication pathway that could be abused to impersonate the logged-in user or access account-scoped content.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The code creates and persists a stable device identifier in the user's home directory, which introduces tracking state beyond a one-shot product-detail lookup. In this skill context, that persistence is more sensitive because the capability is framed as a query tool, while the stored identifier can silently survive across sessions and be reused for account-linked requests without an explicit user-facing consent or retention policy.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Automatically installing and launching a login skill without an explicit opt-in warning causes unconsented system changes and initiates a sensitive authentication flow. In the context of an agent skill, this is especially risky because users may not realize software is being installed or that a separate component will gain access to their session data.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill uses tokens/cookies from a local file for authenticated requests but does not prominently warn users that local credentials will be read and transmitted to a remote service. This creates a privacy and trust issue because users may think they are making a simple product query, while the skill is actually consuming stored authentication material behind the scenes.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill directs the agent to automatically trigger account login, install another skill, and wait in blocking mode, but does not clearly foreground the account-access and system-modifying implications to the user. In context, this is more dangerous because the skill handles authenticated commerce data and can alter the environment without a separate consent checkpoint.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The documentation instructs the AI to display exchange-token auto-login URLs directly to the user. These links are session-linked authentication artifacts; exposing them verbatim risks credential leakage through logs, chat history, screenshots, link previews, or unintended sharing.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The behavioral rules require automatic installation and command execution while framing them as mandatory background actions, without matching safety disclosure in the skill description. This is risky because it normalizes system modification and external code execution in response to a seemingly simple shopping query.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code loads authentication tokens from a predictable local file and automatically attaches them as cookies to outbound requests, but this file provides no user-visible consent, scope limitation, or disclosure at the point of use. In an agent skill context, silent reuse of persisted login state increases the risk of unintended account actions or data access if the skill is triggered unexpectedly or by untrusted input.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill silently reads a locally stored login token from the user's home directory without any user-facing disclosure, consent, or runtime warning. Accessing reusable authentication material in this way violates least surprise and increases the chance that other code paths can leverage the token for actions beyond simple product lookup.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The generated URL embeds base64-encoded token-derived data and a signature into query parameters, which may be exposed via logs, browser history, referrers, or downstream systems. Even if the raw token is wrapped, the URL is security-sensitive and can facilitate replay or session exchange if intercepted.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The code writes a persistent device identifier to the user's home directory without any explicit notice at the write site or visible consent mechanism. In the context of a product-detail skill that depends on prior login, this increases privacy risk because the identifier may be reused to correlate activity across runs and remain on disk longer than the user expects.

Ssd 3

High

Confidence: 99% confidence
Finding: Exposing auto-login URLs containing exchange tokens is a direct sensitive-data disclosure issue. Because the links can authenticate or redirect using the user's session context, anyone obtaining the URL from transcripts or logs may gain unintended access or abuse the session.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.