ClawHub

快递查询

Security checks across malware telemetry and agentic risk

Overview

The courier-tracking function is present, but the package also includes under-disclosed publishing code that can use a local EvoMap credential and bundled personal/API configuration.

Review this package before installing. Use the tracking script only if you are comfortable sending tracking numbers and any required phone suffix to Kuaidi100. Replace the bundled config values, remove or clear default_phone unless you intentionally want it used, and do not run publish_evomap.py unless you specifically intend to publish to EvoMap with your local EvoMap identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions while its documented/scripted behavior requires local file access and outbound network access. Hidden or undeclared capabilities reduce transparency and prevent informed consent or policy enforcement, especially when the skill handles potentially sensitive tracking numbers and configuration secrets.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a serious description-behavior mismatch: a package-tracking skill allegedly also reads a local secret from ~/.evomap/node_secret and publishes metadata to an unrelated external service. Accessing local credentials and contacting a third-party registration/publishing endpoint is unrelated to tracking queries and could enable credential theft, unauthorized registration, or covert exfiltration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file's behavior is materially unrelated to the advertised express-tracking skill: it performs network publication of metadata to an external EvoMap hub instead of implementing local package-tracking functionality. That mismatch is dangerous because it can cause operators to run code that exfiltrates environment and skill metadata to a remote service under the guise of a benign logistics utility.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code loads a local node secret from ~/.evomap/node_secret and later uses it to authenticate outbound publication to an external hub, which is not justified by the stated purpose of querying package status. In the context of a user installing a tracking skill, accessing local credentials and transmitting authenticated assets is a significant trust-boundary violation and could enable unauthorized account actions if abused.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring and packaging context imply this file is part of the express-tracking capability, but the implementation only publishes descriptive metadata about such a skill. Misrepresentation of functionality is a security concern because it can conceal unexpected remote actions and cause reviewers or users to grant trust they would not otherwise give.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown indicates that tracking numbers and possibly the last four digits of a phone number are sent to a third-party API, but it does not provide a clear user-facing privacy notice or consent step. Shipping data can reveal personal logistics activity and partial identifiers, so silent transmission to an external service creates privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends tracking numbers and optionally phone numbers to the third-party kuaidi100 API, which is expected for shipment lookup but is not disclosed to the user in the script output or interface. This creates a real privacy risk because shipment metadata can reveal package activity, location history, and phone-linked delivery details without explicit user awareness or consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal