1688 Shopkeeper

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for 1688 product sourcing and listing, but it asks users to paste and persist a sensitive access key in chat while also enabling real store-publishing actions.

Install only if you are comfortable giving this skill an AK that can query shops and publish listings. Treat the AK like a password: prefer a dedicated low-privilege key if available, rotate it after testing, verify every publish action before approving it, and avoid pasting production credentials into ordinary chat unless your OpenClaw environment provides safe secret handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares powerful capabilities through metadata and documented behavior—reading environment secrets, reading local reference files, writing configuration, and making network-backed marketplace operations—without an explicit permissions model or user-facing consent boundary. In a commerce/publishing skill, this is dangerous because it handles AK credentials and can perform external side effects such as product publication to downstream stores, so hidden or implicit capability use increases the chance of unauthorized data access or unintended actions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation instructs the agent to take a user-supplied AK, write it via a configuration command, and then reuse it across the session. This creates unnecessary secret persistence and broad secret propagation, increasing the chance of leakage through logs, config files, crash reports, or later tool invocations.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The security note claims the AK is not uploaded to servers, but the documented workflow explicitly passes the secret through agent-controlled command invocations and persistence mechanisms. That claim can mislead users into oversharing a sensitive credential under false assumptions about handling and exposure.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README explicitly instructs users to provide an Access Key directly to the AI chat, but gives no warning that the AK is a sensitive credential. Secrets pasted into chat may be logged, retained, exposed to plugins/tools, or mishandled by downstream systems, enabling unauthorized access to the user's 1688 account or linked commerce operations.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases include broad shopping-related terms like '选品', '铺货', and '上架', which can plausibly appear in normal conversation and cause the skill to activate when the user did not intend to invoke this specific tool. Because the skill can read credentials and eventually publish listings to external platforms, accidental activation is more dangerous here than in a read-only informational skill.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The instructions place the full AK directly into shell commands as a command-line argument and environment variable prefix. Secrets passed this way may be exposed via shell history, process listings, telemetry, debugging tools, or agent/tool logs, making credential compromise likely on shared or monitored systems.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The FAQ explicitly advises users to use hostile, deceptive phrasing such as threatening a 315 complaint in order to trigger escalation to a human agent. This encourages manipulation of platform support workflows, can constitute harassment or policy evasion, and may expose merchants or users to account penalties, complaint abuse, or reputational harm.

Ssd 3

High

Confidence: 99% confidence
Finding: The instruction '我的AK是 xxx' normalizes disclosure of a live credential in conversation, which is an unsafe secret-handling pattern. In this skill's context, the AK appears to grant access to product sourcing and store distribution actions across linked downstream shops, so compromise could let an attacker query account data or perform unauthorized listing and shop-management actions.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly tells the user to reveal their full AK in chat, which is a sensitive credential-handling anti-pattern. Chat channels are often logged, retained, or exposed to operators and integrations, so collecting secrets there materially increases the risk of credential theft.

Ssd 3

High

Confidence: 99% confidence
Finding: The workflow directs the agent to extract the AK from the user's message and prepend the full secret to all subsequent commands in the session. In the context of an e-commerce automation skill that performs multiple downstream actions, this expands the secret's exposure surface across many executions and increases the probability of logging or accidental disclosure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal