ClawHub

唯品会商品搜索

Security checks across malware telemetry and agentic risk

Overview

This Vipshop shopping skill is mostly coherent, but it automatically handles login credentials, installs or runs companion skills, and creates authenticated product links with too little user control.

Install only if you are comfortable with this skill reading your local Vipshop login token file, using that token with Vipshop APIs, generating authenticated product links, and automatically installing or invoking related Vipshop skills. Use it only for explicit Vipshop searches, avoid shared machines, and do not share generated exchange links because they may carry account-linked session material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The README expands a product-search skill into orchestrating a separate login skill and even installing it automatically. That crosses the declared trust boundary of the skill, enabling unreviewed secondary actions and dependency changes without explicit user approval, which increases supply-chain and privilege risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README adds product-detail retrieval and cross-skill/script execution beyond the manifest's stated search functionality. Hidden capability expansion makes it easier for the agent to perform broader actions than the user or platform expects, weakening least-privilege guarantees.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The README instructs the agent to run `clawhub install vipshop-user-login`, which is a package installation step unrelated to the core search action and can modify the environment. Automatic installs introduce supply-chain risk and allow the skill to pull in new code at runtime without review or informed consent.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to install and invoke another skill and to fall back to direct command execution outside the stated product-search boundary. Cross-skill invocation and package installation expand the attack surface and allow this skill to trigger additional code paths and side effects that users may not expect from a simple search action.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script reads a local PASSPORT_ACCESS_TOKEN from the user's login store and generates an exchangeToken URL that can carry the user's authenticated session into a browser redirect. This exceeds the declared behavior of a product-search skill and creates a credential-handling path that could expose or misuse session material, especially if the generated URL is logged, returned to other components, or opened in an unintended context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code implements SSO-style login/jump-link generation based on a locally stored access token, which is not directly aligned with a search-only skill. Hidden authentication-transfer behavior increases risk because users and reviewers may not expect the skill to transform stored credentials into navigable links, making accidental disclosure or abuse more likely.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module writes a persistent device identifier to ~/.vipshop-user-login/device.json, which creates local tracking state not disclosed by the skill’s search-focused description. While this may be functionally motivated by keeping a stable client identifier for login/search requests, it still expands data collection and persistence beyond obvious user expectations and can enable cross-session tracking on the host.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Using generic triggers like '下一页' and '上一页' can cause accidental invocation during ordinary conversation, especially in a chat system with multiple skills. Unintended execution may leak prior search context, trigger network requests, or create confusing autonomous behavior without a clear user intent to operate this skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Triggers like '第5个' or '详情10' are highly ambiguous and can be interpreted outside a valid product-search context. This can lead to unintended product-detail lookups based on stale state or unrelated conversation, causing unauthorized follow-up actions and possible data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation mandates automatic installation and execution of another skill without any explicit consent or risk warning. Silent cross-skill execution can surprise users, change the environment, and expose them to privilege escalation or code provenance issues they did not agree to.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README directs the agent to read `~/.vipshop-user-login/tokens.json` and use cookies/tokens, but it does not define strong safeguards for sensitive credential handling. Accessing local auth artifacts without clear minimization, disclosure, and non-retention requirements risks credential leakage, overbroad reuse, or unintended disclosure in logs and outputs.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger scope is extremely broad, covering generic shopping, browsing, recommendation, and cross-platform purchase intent, which increases the chance that the skill activates in many ordinary conversations. Overbroad activation is dangerous here because the skill can read local login state, trigger blocking login flows, and run scripts automatically, causing unintended actions without clear user intent.

Vague Triggers

High
Confidence
90% confidence
Finding
The overview repeats ambiguous activation conditions without meaningful limits, reinforcing an overly permissive trigger surface. In this skill's context, ambiguous triggering is more dangerous because activation can cascade into local token inspection, dependency installation, and login automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to inspect a local token file and automatically launch a blocking login workflow without obtaining explicit consent at the time of action. This reduces user awareness of local data access and may unexpectedly interrupt the session or initiate authentication flows, which is especially sensitive for account-linked commerce actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
A sensitive access token is loaded from a local credential file, encoded into the dt parameter, and placed into a generated URL. URLs are commonly exposed through logs, browser history, referrers, analytics, crash reports, and inter-process messages, so embedding session-related secrets in them can lead to account/session compromise or unauthorized authenticated actions.

Ssd 3

Medium
Confidence
86% confidence
Finding
Instructing the agent to retain prior shopping results for reuse creates a statefulness/privacy risk, especially when later commands are ambiguous. Persisted result context can be reused unexpectedly across turns, enabling accidental follow-up actions or exposure of prior shopping activity beyond the user's immediate intent.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal