ClawHub

义乌.skill

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it needs review because it combines CRM profiling, bulk WhatsApp outreach, persistent memory, external AI/API use, and automatic improvement workflows without enough user-control and privacy boundaries.

Install only in a controlled business environment after adding explicit consent and opt-out handling for outreach, role-based access to customer profiles and quote files, retention/deletion rules for memory, protected or expiring links for exports, disclosure for Coze/DeepSeek/OpenAI/Hugobsp data sharing, and human approval for bulk sends, automatic updates, and knowledge-base changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (51)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The configuration enables long-term vector memory for broad categories including user preferences and conversation patterns without any visible data minimization, retention limits, consent controls, or access restrictions. This creates a real privacy and security risk because sensitive commercial or personal data may be retained and retrievable beyond what is necessary for a trade-assistance workflow.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The document defines broad telemetry and external-intelligence collection, including behavior tracking, market scanning, and automatic update triggers, which materially expand the skill beyond a normal trade-advisory assistant. This creates a capability boundary problem: users may interact with a business-advice skill while it silently performs monitoring and adaptation functions they did not expect or consent to.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The proposed automatic evolution and release workflow introduces self-modifying behavior for a skill that is presented as a domain expert assistant, not an autonomous software-maintenance system. Unreviewed or lightly reviewed content/version changes can degrade safety controls, introduce prompt injection persistence, or cause unauthorized capability drift over time.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Emotion detection and detailed path tracking are unnecessary for a Yiwu trade advisory skill and create privacy and profiling risk disproportionate to the stated purpose. Collecting this level of behavioral and inferred psychological data can expose sensitive patterns, enable overcollection, and increase harm if logs are misused or breached.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Competitor scanning and network intelligence collection are not clearly required for answering user trade questions and broaden the system into external surveillance and ingestion. This increases attack surface, legal/compliance risk, and the chance that untrusted external content influences future behavior or knowledge updates.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Cross-skill knowledge transfer and self-diagnostic self-repair are high-risk unjustified capabilities because they allow changes or influence to propagate beyond the current skill boundary. In this context, they could spread bad data, unsafe behavior, or compromised logic across other skills and make unauthorized self-modification harder to detect and contain.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document specifies behavior tracking, surveys, community ingestion, and ticket integration as built-in capabilities without clearly limiting what data is collected, under what authority, or for what minimum necessary purpose. In a trade-consulting skill, this creates a real risk of unnecessary collection and cross-source aggregation of user data, which can expose sensitive business, operational, or personal information.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The design sends customer history, conversation history, and customer metadata to an external LLM provider without any minimization, consent, or privacy controls. In a trade/CRM context, this can expose sensitive commercial and personal data to a third party, creating confidentiality, compliance, and data-governance risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Several triggers are broad topical phrases such as '义乌外贸', '小商品出海', and '跨境支付', which can cause the skill to activate on ordinary user queries instead of explicit invocation. That increases the chance of unintended routing, prompt-context injection into unrelated conversations, or accidental execution of skill-specific behavior when the user only seeks general information.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad terms such as “跨境支付”, “外贸财务”, “汇率管理”, and “数据分析”, which can match many general business or finance queries outside this skill’s narrow Yiwu trade context. Over-broad activation can cause the agent to invoke this skill in unrelated contexts, leading to inappropriate domain-specific guidance, accidental disclosure of internal playbooks, or bypass of a more suitable specialized skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad business terms such as '义乌外贸', '小商品出海', '跨境支付', and '外贸财务' that could plausibly appear in normal conversation without an explicit intent to invoke the skill. This can cause accidental activation and unrequested domain-specific guidance, which is a real prompt-scope and routing risk even though the content itself is not overtly malicious.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill metadata and triggers are entirely in Chinese with no language declaration, negotiation, or user opt-in behavior. In multilingual environments this can lead to unintended activation, misinterpretation, or delivery of guidance in a language the user did not request, which is a usability and control-boundary issue rather than a direct exploit primitive.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is broadly phrased around any user need for pricing, trends, bargaining, or cost accounting, without clear scope boundaries, authorization checks, or routing constraints. In an agent system, this can cause over-triggering and inappropriate invocation on loosely related requests, increasing the chance of unnecessary data access, misleading automation, or agent behavior outside the user’s intended task.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list mixes concrete actions with ambiguous scenarios like asking whether a price can be cheaper, bargaining help, bulk pricing consultation, and price alerts, which are broad enough to match many ordinary conversations. This makes the skill more likely to activate when not appropriate, potentially exposing internal pricing tools or generating negotiation and cost outputs without sufficient context, validation, or user intent confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly uses user browsing/purchase history for collaborative filtering and records empty queries for later analysis, but provides no notice, consent mechanism, retention limits, or purpose limitation. This creates a privacy and compliance risk because behavioral data can reveal sensitive commercial interests and be processed beyond what the user reasonably expects.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill supports image-based product search but does not warn users that uploaded images will be processed and potentially stored or analyzed by backend matching systems. Even if intended for search only, images may contain personal, location, or proprietary business information, so silent processing increases privacy risk.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The frontmatter description says the skill triggers whenever a user needs supplier evaluation, comparison, or recommendation, but it does not define strict routing boundaries or confirmation requirements. In an agentic system, broad trigger phrasing can cause the skill to activate on loosely related procurement conversations and access supplier/compliance data unnecessarily, increasing the chance of unintended actions or disclosure.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The auto-trigger list includes ambiguous scenarios like clicking a supplier detail page and general procurement-stage screening, which may invoke the skill without a clear user request. That can lead to silent data retrieval, scoring, or recommendation generation based on mere navigation behavior rather than informed user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports bulk WhatsApp outreach, status tracking, and persistent customer profiling, but it provides no safeguards around lawful basis, consent, opt-out handling, data minimization, or cross-border personal data processing. In a sales automation context, this can enable spam, unlawful marketing contact, and inappropriate collection or retention of customer data at scale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The memory design stores long-term conversation history, customer lists, FAQ interactions, and transaction pricing data without any retention policy, sensitivity classification, or deletion controls. This creates unnecessary exposure of personal and commercially sensitive information, increasing the risk of privacy violations, insider misuse, and data leakage if the system is compromised or misused.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description says it triggers whenever customer characteristics, tagging, activity tracking, or segmentation are needed, which is broad enough to activate during ordinary CRM viewing and editing flows. In this context, overbroad activation can cause unnecessary profiling and data processing on personal/business contact data without clear user intent or minimization, increasing privacy and compliance risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The automatic trigger list includes common workflow events such as viewing customer details, filtering groups, and recommendation support, without conditions, approval, or least-privilege limits. That makes silent profiling and follow-on actions more likely during normal operations, which can expose personal data and create unauthorized automated decisioning.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section instructs collection of identifiable customer data including name, company, region, WhatsApp, email, communication records, and inferred preferences, but provides no privacy notice, lawful-basis check, consent handling, retention policy, or access restrictions. In a sales/CRM context, this is more dangerous because the skill is explicitly designed to aggregate and infer sensitive commercial behavior at scale, creating material privacy, compliance, and misuse risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill output includes recommendations like sending follow-ups and product recommendations, and elsewhere the workflow mentions triggering personalized recommendations and wake-up messages, but there is no warning or approval step for automated outbound contact. In practice, this can lead to unreviewed messaging based on inferred profiling data, increasing spam, consent, and regulatory risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly generates downloadable quote files and attachments containing supplier and customer details, but it does not require access controls, signed/expiring URLs, redaction, or user warning before sharing. In a sales workflow, quote PDFs and spreadsheets commonly include pricing, contact information, and commercial terms, so insecure links or broad attachment distribution can expose sensitive business data to unintended recipients.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal