ClawHub

唯品会用户登录

Security checks across malware telemetry and agentic risk

Overview

This skill performs a disclosed Vipshop QR login, but it stores reusable account cookies for other skills to read and use, so users should review the credential-sharing model before installing.

Install only on a trusted machine and treat ~/.vipshop-user-login/tokens.json as a Vipshop account credential. Scanning the QR code will create a reusable local session that other Vipshop skills can read; remove it with the documented logout command or delete the directory when you no longer want that access retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes and instructs execution of network access, local file read/write, environment-variable checks, and shell/Python commands, yet it declares no explicit permissions or trust boundaries. This creates a capability transparency gap: an orchestrator or user may trigger a login flow that writes persistent authentication material to disk and performs outbound requests without clear consent or sandbox expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide explicitly instructs other skills to read a shared token file and reuse authenticated cookies to make arbitrary requests as the logged-in user. That broadens the trust boundary from a login helper into a credential-sharing mechanism, enabling unrelated or less-trusted skills to act with the user's full Vipshop session if they can access the file or scripts directory.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The save_qr_image method accepts an arbitrary output_path and writes attacker-controlled bytes to that location without constraining it to the skill's working directory. In an agent environment, any other component that can influence this parameter could overwrite user files, drop payloads into sensitive locations, or abuse symlink targets, which is broader capability than a QR display helper should need.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`stop_poll()` sets `_stop_event`, but the polling loop in `poll_until_complete()` never checks that event, so a caller cannot reliably stop the background login-status polling once started. In a login skill, this can cause continued transmission of QR login tokens and continued collection of status/cookie-bearing responses after the user expects polling to have ended, creating privacy and session-handling risk as well as resource exhaustion.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The CLI exposes additional capabilities to enumerate stored login records, inspect status, and remove tokens that are outside the declared scope of a simple QR-login skill. In an agent/tooling environment, undocumented account-management surfaces increase attack surface and can leak account presence metadata or allow unintended token manipulation by other components invoking the script with different flags.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions include broad fallback wording such as invoking this skill when other skills detect an unauthenticated state, which can cause unintended automatic activation. In context, auto-triggering a real-account login flow is sensitive because it initiates external authentication, displays a QR code, polls remote status, and may persist login state without a fresh, explicit user decision.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores login tokens in ~/.vipshop-user-login/tokens.json for reuse by other skills, but the top-level description does not prominently communicate the persistence, sharing scope, and sensitivity of those credentials. This is dangerous because users may believe they are performing a one-time login while actually creating a reusable local credential store that broadens compromise impact across multiple skills.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly states that successful QR-login polling results in login cookies being set, but it does not warn that this creates an authenticated session whose credentials may then be persisted and reused by the skill. In the context of this skill, which saves login state to ~/.vipshop-user-login/tokens.json for other skills, omitting a clear warning increases the risk of users or downstream developers treating the flow as harmless display/polling rather than credential acquisition and storage.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example shows loading authentication cookies from disk and sending them in network requests without warning that this transmits highly sensitive session credentials and performs actions as the user. In an agent ecosystem, omission of that warning increases the chance that downstream skill authors will casually copy the pattern, mishandle the cookies, or use them in ways the user did not understand.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Recommending TokenManager as a convenient way for other skills to obtain login state normalizes cross-skill access to sensitive credentials, again without clearly warning that this enables authenticated remote actions under the user's account. This makes the shared-login design more dangerous because it lowers the barrier for any adjacent skill to consume the session and act beyond the minimal login purpose.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation discloses the exact storage path and schema for session cookies and user identifiers, including an access token, but does not label them as secrets or caution against leakage. That materially helps any other local skill or developer understand where to find reusable credentials, making accidental exposure or intentional misuse easier in this multi-skill context.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This module persists live authentication cookies to disk in plaintext JSON under the user's home directory. Although it sets restrictive filesystem permissions, local credential storage still creates theft and reuse risk from malware, backups, accidental disclosure, shared accounts, or other local compromise; in a login skill, that risk is more significant because these cookies represent reusable authenticated session state for other VIPShop actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill persists sensitive authentication material locally, including the login token and pending QR token state, without any user-facing warning, consent flow, or visible file-permission hardening in this code path. On shared hosts or agent runtimes, local files under the home directory may be readable by other processes or later reused unexpectedly, enabling session theft or unauthorized continuation of a login flow.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
93% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
93% confidence
Finding
qrcode>=7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
96% confidence
Finding
Pillow>=9.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
qrcode>=7.0
Pillow>=9.0.0
packaging>=21.0
Confidence
90% confidence
Finding
packaging>=21.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
Pillow

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal