Back to skill

Security audit

design ecommerce

Security checks across malware telemetry and agentic risk

Overview

This image-editing skill mostly does what it claims, but its shell/API workflow needs Review because it uploads local images to remote services with broad controls and unsafe input handling.

Install only if you intend to send selected product images, image URLs, and listing details to Designkit/OpenClaw/Meitu services using an API key. Use a dedicated revocable key, avoid sensitive or regulated images, ask the agent to confirm before every upload or download, and prefer reviewed HTTPS endpoints until the input validation and endpoint allowlisting are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Tainted flow: 'policy_req' from os.environ.get (line 374, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
policy_req.add_header("Origin", "https://www.designkit.cn")
    policy_req.add_header("Referer", "https://www.designkit.cn/editor/")
    try:
        with urllib.request.urlopen(policy_req, timeout=30) as resp:
            code = resp.getcode() or 200
            raw_policy = resp.read().decode()
            _request_log_response_json("policy_response_body", raw_policy, code)
Confidence
91% confidence
Finding
with urllib.request.urlopen(policy_req, timeout=30) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares executable capabilities via metadata requirements (`bash`, `curl`, `python3`, env secret) and explicit shell/API execution instructions, but does not expose a clear permission model to constrain network, file, or shell use. This creates a transparency and governance gap: reviewers and platforms may treat it as a simple router while it can invoke scripts, read sub-skill files, and access secrets during execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The top-level skill is presented primarily as a router, but the behavior described and inferred includes direct API execution, multi-step rendering workflows, file upload, polling, and repository/distribution artifact handling. This mismatch is dangerous because operators may grant trust and permissions based on the benign routing description while hidden or underdocumented behaviors perform materially broader actions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The manifest requests shell access even though the described skill behavior is routing ecommerce image requests to sub-skills, which does not inherently require command execution. Unnecessary shell capability increases the blast radius of prompt injection, unsafe tool use, or downstream sub-skill compromise by enabling arbitrary local command execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script does far more than the skill metadata claims: it reads credentials, uploads local files, and makes authenticated network requests to multiple external endpoints. In a skill advertised as a router between sub-skills, this creates a capability mismatch that can exfiltrate user-provided local files or send data to remote services without clear least-privilege boundaries.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code consumes sensitive credential environment variables and initiates external API workflows even though the skill description says it should only route requests between ecommerce design sub-skills. This mismatch is dangerous because users or reviewers may grant the skill more trust than warranted, while it can perform authenticated actions and transmit data off-system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow definition includes direct calls to external remote services for style generation and rendering, but the manifest provides no user-facing disclosure that submitted images and related listing data will be transmitted off-platform. In an ecommerce imaging skill, users are likely to upload proprietary product photos or sensitive pre-launch marketing assets, so the lack of notice creates a real privacy and data-governance risk even if the endpoints are legitimate.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The trigger list is broad and overlaps with common image-editing phrases, so this skill may activate for many ordinary requests beyond the user's intended tool. Over-broad invocation is dangerous because it can route users into a skill with elevated permissions, increasing unnecessary exposure to network, filesystem, and shell capabilities.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest requests network, filesystem, and shell permissions but the user-facing description does not disclose these powerful capabilities or explain why they are needed. This reduces informed consent and makes accidental invocation more risky, especially given the broad triggers, because the skill could access local files, execute commands, or send data externally without clear user expectation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to auto-download all final images to the working directory without requiring user confirmation or clearly constraining the destination. Any skill behavior that performs automatic file writes can create unintended side effects, overwrite files, consume disk space, or place untrusted remote content onto the host filesystem, which is especially relevant in agent environments that may share a workspace with other tasks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that local image files are automatically uploaded, but it does not require a user-facing disclosure or confirmation before transmitting those files to an external service. This creates a real privacy and data-handling risk because users may provide local images assuming purely local processing, while sensitive content or metadata could be sent off-device without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
}

# ---------- 调用 OpenClaw API(提交任务) ----------
RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "${REQUEST_URL}" \
  -H "Content-Type: application/json" \
  -H "X-Openclaw-AK: ${AK}" \
  -d "$BODY" \
Confidence
89% confidence
Finding
curl -s -w "\n%{http_code}" -X POST "${REQUEST_URL}" \ -H "Content-Type: application/json" \ -H "X-Openclaw-AK: ${AK}" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.