ClawHub

1688 Distributor

Security checks across malware telemetry and agentic risk

Overview

This skill is instruction-only and purpose-aligned for 1688 shop distribution, but it can make bulk live shop changes without a clear final approval step.

Install only if you intentionally want an agent to modify a live 1688-connected shop. Before use, require the agent to show the logged-in account, target shop, selected products, item count, filters, and exact action, then wait for explicit approval before clicking any "立即铺货" confirmation. Start with a small test batch and know how to remove unwanted listings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "去1688找点货" is broad, conversational wording that could match casual user requests and invoke a high-impact automation unexpectedly. In this skill, invocation is especially sensitive because the workflow culminates in bulk product selection and distribution to a shop, so accidental triggering can lead to unintended commercial actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes and automates bulk product distribution, including selecting all items and clicking "立即铺货", but does not require a clear user warning or explicit confirmation immediately before committing the action. Because the workflow can modify a live shop at scale, missing a warning/confirmation barrier increases the risk of accidental listing, inventory pollution, pricing/compliance issues, and downstream business impact.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal