ClawHub

Yunshang Aifei Cli Share

Security checks across malware telemetry and agentic risk

Overview

This OA client mostly matches its purpose, but it needs review because it can make broad authenticated changes to production business data and stores session tokens locally.

Install only if you intend to let this skill access a real Yunshang Aifei OA account and potentially modify OA records. Use the lowest-privilege account possible, avoid raw POST/PUT unless you have reviewed the endpoint, protect or delete cached token files, and confirm that HTTP transport and sending CAPTCHA images to DashScope are acceptable for your organization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill is presented as an OA API client, yet it also documents a DingTalk robot push path that sends data to an external third-party service. This broadens the skill's data-flow and creates a realistic risk of exfiltrating internal OA content, names, and phone-targeted notifications without clear scoping or user consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The top-level docstring advertises the CLI as a fixed set of read-oriented query commands, but the implementation also exposes a generic `raw` subcommand that can call arbitrary API paths and methods. This mismatch is security-relevant because users or downstream agents may trust the documented surface area and overlook that the tool can reach undocumented endpoints, including potentially sensitive or state-changing ones.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The module docstring states there is no hardcoded sensitive information, but the file embeds a fixed SM4 key in source code. Hardcoded cryptographic keys are sensitive because anyone with code access can decrypt protected data or forge encrypted requests, and the misleading comment may cause reviewers to miss the issue.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents remote write operations and local token caching but gives no warning that it can modify production data or persist authentication material on disk. In a real environment, this increases the chance of unintended data changes and credential/token exposure through local file compromise, backup leakage, or shared workstations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The DingTalk webhook example transmits message content and targeted mobile numbers to an external service without any user-facing disclosure. This can expose internal business information and personal data outside the OA system, especially if users copy the pattern directly into production workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `raw` command allows arbitrary `POST` and `PUT` requests to user-supplied paths with user-supplied JSON, effectively turning the CLI into a generic authenticated API client. In the context of an enterprise business system CLI that otherwise appears to be query-focused, this can enable accidental or unauthorized modification of remote data, especially if an agent or user assumes the tool is read-only.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The client is configured to use plain HTTP for both test and production base URLs, and it sends login credentials, bearer tokens, and business data over those connections. Even if payloads are SM4-encrypted in some cases, HTTP exposes headers, cookies, endpoints, and unencrypted requests such as GETs to interception or modification by a network attacker.

Unpinned Dependencies

Low
Category
Supply Chain
Content
gmssl
requests
python-dotenv
Confidence
94% confidence
Finding
gmssl

Unpinned Dependencies

Low
Category
Supply Chain
Content
gmssl
requests
python-dotenv
Confidence
99% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
gmssl
requests
python-dotenv
Confidence
96% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
77% confidence
Finding
python-dotenv

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal