ClawHub

1688 To Ozon

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated e-commerce automation purpose, but it bundles real-looking credentials and can publish products or send product data to external services with weak safeguards.

Install only after replacing and rotating all bundled credentials, confirming you control every external destination, and treating normal runs as live production publishing. Use an isolated workspace, disable Feishu unless explicitly needed, verify data sent to OCR/translation/image-hosting providers, and require a real dry-run or manual confirmation before OZON uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares only an allowed Bash entrypoint, but the analyzer detected shell and environment-variable capabilities without an explicit permissions model. This can hide access to secrets or enable command execution beyond what a reviewer expects, which is especially risky for a scraping-and-upload automation that likely handles API credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description understates the actual behavior by omitting OCR, bilingual content generation, image hosting/translation, Feishu notifications, OZON dictionary queries, and repair/resubmission scripts. This matters because users and reviewers may not realize product data, images, and progress metadata are sent to multiple third parties, increasing data exposure and making informed consent and review difficult.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The migration report discloses and normalizes additional credentialed integrations beyond the stated 1688→OZON upload purpose, including live OZON API credentials and third-party translation/OCR services. Even though this is documentation, exposing or encouraging storage of active secrets broadens the attack surface and can enable unauthorized access, abuse of paid services, or compromise of seller operations if the file is shared, indexed, or reused.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill contains Feishu notification and chat-routing logic that is not essential to the core 1688-to-OZON listing workflow, and it activates external messaging when the log flag is used. In a security context, undisclosed outbound communication broadens the data-exfiltration surface because product details, workflow status, and identifiers may be sent to a third-party channel outside the user's expectation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This logger utility contains unrelated Feishu authentication and notification logic, expanding its privileges beyond simple logging/progress tracking. Embedding external messaging and token-handling inside a low-level utility increases the chance of unnoticed data egress and makes downstream code invoke network-capable behavior from an innocuous-looking module.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The module executes external commands (curl and openclaw) from a utility file, which creates hidden command-execution and outbound-communication behavior unrelated to core logging. Because message content is interpolated into a shell command, this also raises command-injection risk if untrusted input reaches the notification path.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The header describes only logging and progress reporting, but the file also performs Feishu authentication and message sending. This mismatch obscures the module's true behavior, reducing reviewability and making hidden outbound communication harder for users and auditors to detect.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script reads product data from a workspace path in another project tree using process.cwd(), which expands its data access beyond a narrowly scoped OZON attribute-fix tool. In the skill context, this is dangerous because it can unintentionally ingest unrelated or attacker-prepared data and then use it for a live marketplace update.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Rather than removing duplicate attributes, this code re-imports the entire product object to OZON via /v3/product/import. A full overwrite is broader than the stated purpose and can modify unrelated fields, causing unintended listing corruption or publication of stale/tampered data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The second code path repeats the same unsafe pattern by sending the full product for import instead of performing a minimal attribute repair. Because this script is marketed as a fix utility, the broad write scope is especially risky and may lead users to trigger destructive updates they do not expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script globally sets process.env.NO_PROXY='*', disabling proxy use for all outbound connections in the process, not just OZON traffic. This changes host networking behavior in a broad way that can bypass enterprise monitoring, egress controls, or security gateways, making the skill more dangerous than its narrow upload purpose suggests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The report explicitly documents use of multiple third-party services (e.g. OCR, LLM, image translation, image hosting, and OZON upload) and encourages real-environment testing, but it does not warn that product data, images, or account-linked actions will be sent to external providers. In this skill context, that omission is meaningful because the workflow handles merchant content and can trigger marketplace-side changes, so users may unknowingly expose data or affect production listings.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to copy a template into a real config file and place OZON API credentials there, but it does not warn that these secrets must be protected, excluded from version control, and permission-restricted. In a shared skill directory context, this omission increases the chance of accidental credential exposure to other agents, users, backups, or commits, which could enable unauthorized API access to the seller account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that output directories are automatically cleared before every run, including normal and debug modes, without any safeguard or warning about destructive behavior. In a shared or misconfigured workspace, this can cause unintended deletion of valuable files or prior run artifacts, leading to data loss and operational disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes automatic upload of product images to third-party hosting services but does not warn users that images and embedded content may be disclosed externally. This creates a privacy and data-governance risk, especially if images contain supplier information, personal data, watermarks, or confidential business material.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase 'op' is so broad that it can be invoked accidentally during unrelated conversations or workflows. Because this skill performs scraping and uploads to external platforms, unintended activation could expose data, start browser automation, or perform marketplace actions without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description does not clearly warn that scraped product data and images are uploaded to external platforms and services. In this context, omission is security-relevant because operators may provide URLs or content without understanding that images, text, and possibly derived metadata will be transmitted to third parties.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded Feishu App ID and App Secret embed live credentials directly in the source code and enable external notification behavior without meaningful user disclosure. This is dangerous because anyone with code access can reuse the secret, and the skill can transmit operational data to external infrastructure under credentials the operator did not explicitly configure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically clears the output directory at startup when beginning from step 1, without explicit confirmation or a safety prompt. This can cause unintended data loss, especially if the output path is shared, misconfigured, or contains prior workflow artifacts the user expected to preserve.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function writes product metadata, OCR text, prompt content, and output file paths into predictable files under the system temporary directory without setting restrictive permissions, cleanup, or obtaining user consent. On multi-user systems or shared agent environments, other local processes may read these files, exposing potentially sensitive supplier, pricing, or image-derived data and leaking prompt contents used for downstream generation.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded Feishu App credentials are embedded directly in source and used for authentication to an external service. Anyone with code access can extract and abuse these secrets, potentially impersonating the application, sending messages, or accessing associated Feishu resources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The notification function transmits message content to Feishu via shell execution without clear user disclosure or consent. In the context of a 1688-to-OZON automation skill, this hidden external messaging capability increases the risk of exfiltrating operational data, product details, errors, or secrets to a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code sends full image contents to Baidu OCR and transmits API credentials to obtain an access token, but does so via shell-invoked curl commands rather than a safer HTTP client. While this appears to be expected functionality for an OCR integration rather than overtly malicious behavior, it creates privacy and security risk because potentially sensitive images are exfiltrated to a third party and secrets are interpolated into shell command strings, which may leak via process inspection, logs, or break if special characters are present.

Missing User Warnings

High
Confidence
95% confidence
Finding
Downloaded images are passed into OCR processing without any visible consent gate or disclosure that image contents may be sent to an external OCR provider. Because product images can contain embedded text, branding, contact details, or other business-sensitive material, this can cause unintended third-party data disclosure during normal workflow execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Feishu notification path sends workflow status and product-related metadata to an external messaging service when ENABLE_FEISHU is set, but the file provides no consent prompt or redaction safeguards. In an automation context handling supplier/product information, even operational summaries can leak commercially sensitive details to unintended recipients or misconfigured webhooks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal