ClawHub

唯品会

Security checks across malware telemetry and agentic risk

Overview

This Vipshop shopping skill mostly matches its purpose, but it gives itself automatic login, session-token use, token-bearing link output, and runtime skill-install authority that users should review before installing.

Install only if you are comfortable letting this skill manage a Vipshop login session locally and reuse it across searches, details, promotions, and image search. Treat generated exchange-token links and QR-token output as sensitive, avoid sharing logs, and require explicit approval before any auto-install or login handoff.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (53)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads a persisted login token from ~/.vipshop-user-login/tokens.json and silently uses it to build authenticated exchange URLs, even though the file is framed as a link builder. This creates an implicit privilege bridge from local session state into generated URLs and expands the module's access to sensitive authentication material without clear user consent or strict scope limitation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README instructs the agent to automatically install another skill using `clawhub install vipshop-user-login`, which expands the skill's capabilities beyond product-detail retrieval into package/environment modification. This is dangerous because it allows a content file to trigger unreviewed software installation and dependency chaining, increasing supply-chain and privilege risks if the referenced skill is malicious, compromised, or simply inappropriate for the user's environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to install another skill via `clawhub install vipshop-user-login` when it is missing, which expands a product-detail lookup into package installation and code acquisition. This is dangerous because it enables unreviewed system modification and introduces a new execution path from externally sourced code without explicit user consent at the time of action.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation directs execution of a sibling skill's login script (`python3 ../vipshop-user-login/scripts/vip_login.py --blocking`), creating cross-skill code execution outside the stated product-detail scope. This is risky because it bypasses clear trust boundaries between skills and allows one skill to cause execution of another component's code and login flow automatically.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file is presented as a product-detail query/analyze tool, but it also generates a federated login/exchange-token product link. That extends behavior from passive data retrieval into session-bearing navigation, which can create unintended account-context transfer or enable downstream actions under the user's authenticated state if the link is reused or exposed.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Embedding an exchange token in output for a simple product lookup is not proportional to the declared function of the script. Any consumer of the JSON output, logs, or subsequent agent steps may obtain a privileged deep link that carries authentication context, increasing risk of token leakage or unintended account access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper reads a separate local login token and uses it to generate authenticated exchange links, which expands a product-detail utility into handling account authentication state. In this shopping-skill context, silently consuming a bearer-style token from disk creates an unexpected privilege boundary crossing and can enable account-linked actions or session transfer without clear user awareness.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The code persistently stores a generated device identifier under the user's home directory for a product-detail helper, which introduces cross-session tracking state beyond a narrow one-shot product lookup function. While not inherently malicious, this creates a privacy and scope-expansion issue because the identifier can be reused across requests and sessions without clear necessity or explicit consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README instructs the agent to install another skill via `clawhub install vipshop-user-login`, which expands the skill's authority from product search into package management and dependency acquisition. That creates a supply-chain and privilege-expansion risk because a user asking to search products could indirectly cause installation of additional code without explicit consent or provenance checks.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to automatically trigger a separate login workflow, execute another skill or script, and continue the original task without a fresh user confirmation. This crosses the boundary of a search skill into account-auth and workflow orchestration, increasing the chance of unintended actions on behalf of the user and broadening the attack surface.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill metadata says it is for product search and execution of `search.py`, but the README also instructs the agent to invoke product-detail functionality from a separate skill for follow-up prompts like '查询第X个商品'. This mismatch can mislead security controls and users about the actual capabilities, enabling broader actions than the declared scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to run `clawhub install vipshop-user-login`, which expands a product-search skill into package installation and dependency acquisition at runtime. This violates least privilege and creates a supply-chain and capability-expansion risk, because a simple shopping query could cause the agent to fetch and enable additional code not already trusted or reviewed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation authorizes direct execution of a sibling login script in blocking mode, turning a search skill into an authentication orchestrator. This broadens scope from product lookup to credential/session handling and can trigger unexpected account actions, long-running blocking behavior, and cross-skill boundary bypass without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module reads a persisted PASSPORT_ACCESS_TOKEN from the user's home directory and silently uses it to mint authenticated exchange links. In a product-search/link-building helper, this creates an undisclosed authentication side effect and expands the skill's privilege to act on behalf of the logged-in user without an explicit consent boundary.

Intent-Code Divergence

Low
Confidence
85% confidence
Finding
The docstring describes only HMAC-MD5 exchange-link generation, but the implementation also accesses local authentication state. This mismatch hides sensitive behavior from reviewers and users, making it easier for privileged token handling to be introduced into an otherwise innocuous-seeming helper.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module description says it only generates and validates a mars_cid, but the code also persists that identifier under the user's home directory. That creates undisclosed local tracking state and can surprise callers, especially in an agent/skill context where filesystem writes and persistent device identifiers may have privacy and compliance implications.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script reads saved login tokens from the user's home directory and refuses to perform search without them, even though product search is typically expected to be a low-privilege, generally available action. This expands the data access scope of a search tool to persistent authenticated state, increasing privacy risk and the blast radius if the skill is invoked unexpectedly or reused in a broader agent workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This file directly accesses persistent session data at ~/.vipshop-user-login/tokens.json, which is sensitive account state unrelated to a narrowly described search helper. Reading long-lived tokens from disk creates a local secret exposure path and can enable unintended authenticated requests or cross-skill privilege coupling if another component can trigger this script.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill for promotion lookup instructs the agent to automatically install and invoke a separate login skill and blocking login script, which expands its capabilities beyond simple activity retrieval into software installation and credential-handling workflows. This creates unnecessary authority escalation and can cause unintended system changes or credential exposure without a sufficiently explicit, separate user consent step.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to inspect a token file in the user's home directory to determine login state, giving a promotion-query workflow direct access to local credential material. Even if only existence/validity is intended, this grants filesystem and session-token access outside the least-privilege scope of answering promotion questions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill is framed as a QR login capability, but its documented use cases explicitly extend to accessing user data, automation, and data collection with a real user identity. That broadening increases the chance the login flow will be used to obtain and persist authenticated session cookies for downstream scraping or account actions beyond what the user narrowly intended when asked to log in.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`stop_poll()` sets `_stop_event`, but `poll_until_complete()` never checks that event inside its loop, so callers cannot actually stop an in-flight polling operation. In a login workflow this can keep sending repeated requests with the QR token after the user or application believes polling has stopped, causing privacy, resource-consumption, and control-flow issues.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The login flow deliberately prints the raw qrToken, QR URL, and a structured payload to stdout. That token is an active authentication artifact because the same script supports resuming the login with `--poll <qrToken>`, so any process, log collector, agent wrapper, terminal history, or observer that captures stdout can hijack or continue the login flow. In the context of a login skill, exposing reusable auth material beyond what is strictly needed to display the QR image is more dangerous, not less.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger language is extremely broad, covering generic shopping, comparison, migration from other platforms, and image-based product discovery. Over-broad activation can cause the skill to intercept unrelated commerce requests and steer users into this ecosystem without clear user intent, increasing the chance of unwanted login prompts, data handling, or external calls.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest and overview strongly position the skill as a general replacement for many shopping platforms but do not define non-activation boundaries. Without clear limits, an agent may invoke it too aggressively, causing unnecessary data access, account prompts, or biased routing toward a commercial service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal