Security audit

甩手店长一键采集，刊登

Security checks across malware telemetry and agentic risk

Overview

This skill is a real shop automation client, but it stores authorization locally and can publish products to live shops with broad MCP tool access, so users should review it carefully before installing.

Install only if you intentionally want this agent to control Shuaishou/Temu shop workflows. Use a dedicated low-privilege MCP key, protect or remove ~/.htyd-mcp-client-streamable.json after use, and require human confirmation of the product URL, target shop, platform, and publish action before running collect_and_publish or any raw MCP tool call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code persists the Authorization header to a plaintext file in the user's home directory after interactive entry. That expands the skill's capability from transient MCP access to long-term local secret storage, which increases the risk of credential theft by other local processes, backup systems, or accidental disclosure.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The client is designed to connect to an MCP server, but it also defines a dedicated config file path for storing auth material locally, enabling secret retention unrelated to the minimum required function of invoking tools. In a production client, storing bearer tokens in a predictable plaintext path can materially increase exposure if the workstation is shared or compromised.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly states that authorization data may be saved to ~/.htyd-mcp-client-streamable.json for automatic reuse, but it does not warn about secret persistence, file permissions, or safe handling. Persisting bearer credentials locally without explicit security guidance increases the risk of credential theft from other local users, malware, backups, or accidental disclosure.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The README includes broad natural-language invocation guidance such as using the command when a user says to 'publish this link to shop' or 'collect and publish to shop' without requiring explicit confirmation or safety checks. In an agent setting, this can cause the skill to be selected for externally visible publishing actions based on ambiguous user phrasing, increasing the risk of unintended marketplace changes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation describes a one-step collect→claim→publish workflow that affects shop listings but frames completion as sending the publish API request, while also stating it does not verify final success or async outcome. This encourages use of a high-impact operation without strong up-front warnings about its externally visible effects, making accidental or premature publication more likely in production shop environments.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: When the user is prompted for an app key or bearer token, the code silently writes that secret to disk without clearly informing the user that persistence will occur. This violates user expectations and can cause long-lived credential exposure, especially on developer machines where dotfiles are commonly synced, backed up, or inspected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.