ClawHub

Huo15 Furniture Mfg

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate ERP assistant, but it needs review because some write and delete capabilities are broader than the documentation claims.

Install only if you trust the publisher and the ERP account is scoped to the intended test system. Use a revocable low-privilege API key, avoid production credentials unless the skill is updated with enforced environment allowlists, and review every --yes write/delete preview carefully. The most important fixes before broad use are verifying tool ownership before deletes, enforcing confirmation or allowlists in the shared client, and making the documentation match the full write surface.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file presents the skill as 'P0 全只读' while also documenting active write-capable paths gated by '--yes'. This mismatch can cause operators, reviewers, or downstream agents to treat the skill as read-only and invoke it with less scrutiny, increasing the chance of unintended state-changing operations against the ERP system. In a manufacturing/ERP context, even limited writes can alter orders, reminders, quotes, or quality records and affect real business workflows.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
Describing the core client as a '只读 ORM 封装' while adjacent sections discuss ORM write behavior creates a trust-boundary and capability-confusion issue. If integrators assume the shared client layer is read-only, they may reuse it in higher-trust contexts or skip controls appropriate for mutation-capable tooling, which can lead to unauthorized or accidental writes in the HeySleep system.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation says only five write actions are supported, but elsewhere the skill advertises additional mutating operations such as quote edits, customer creation, worknotes, QC attachment/judgment, and activity completion/rescheduling. This inconsistency can mislead reviewers and downstream agents about what the skill is allowed to modify, increasing the chance of unintended or insufficiently confirmed state changes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference file documents callable backend capabilities far beyond the core furniture-manufacturing workflows, including WeCom messaging, approval submission, marketing sync, customer autofill, and serial-number generation. In an agent skill, exposing adjacent privileged RPC actions expands the effective tool surface and creates a realistic risk that the agent could be prompted into performing unauthorized actions unrelated to the user’s manufacturing request.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
These documented backend actions exceed the manifest’s operational scope and implicitly grant the agent knowledge of privileged business operations such as external messaging and approval workflows. That mismatch is dangerous because users may trigger sensitive side effects through natural-language requests, while operators assume the skill is limited to manufacturing tasks.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This is a true authorization/integrity flaw. The CLI advertises `undo-note` as only deleting notes created by this tool, but `cmd_undo_note` performs a direct lookup by `mail.message` ID and unconditionally calls `unlink` without verifying the message origin, subtype, author, or any tool-specific marker. In this manufacturing/Odoo context, an operator who can run the skill could delete arbitrary business communications by guessing or obtaining message IDs, undermining audit trails and coordination records.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module docstring states P0 is read-only, but the client exposes create, write, unlink, and arbitrary call primitives with no built-in restriction. In an agent setting, other scripts or prompt-driven tool use can invoke these methods directly, bypassing the claimed operational safety model and enabling unintended data modification or deletion in the Odoo backend.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill metadata says write actions are confirm-gated, but this file exposes raw mutating RPC methods that perform changes immediately and do not enforce preview/approval. In an LLM-agent workflow, this mismatch is dangerous because any caller that imports this client can trigger writes or deletes without the promised human confirmation, leading to unauthorized operational changes.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The alias list includes broad, generic business phrases like '库存查询', '订单跟踪', '客户档案', and '今日总览' that overlap common support and manufacturing requests. In an agentic environment, overbroad triggers can invoke this high-capability skill unintentionally, exposing enterprise data or enabling write-path workflows in conversations that did not intend to target this system.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation describes credentialed session authentication for report retrieval and also notes that sent messages can be deleted via unlink, but it does not emphasize the sensitivity or destructive nature of those operations. In an agent context, normalizing authenticated web access and deletion flows without prominent safeguards increases the chance of misuse, accidental destructive actions, or unsafe handling of credentials/session cookies.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code persists the Odoo secret in plaintext within ~/.huo15/tools.md. Even with chmod 0600, plaintext-at-rest credentials increase exposure if the host is compromised, backups are shared, the file is accidentally copied, or permissions are ineffective on some platforms; this is especially sensitive because the credential grants ERP access and, in this codebase, potentially write/delete capability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes generated PDFs to a predictable local directory under /tmp and prints the filesystem path, but the interface does not clearly warn that customer or production documents will be persisted on disk. In this skill context, the documents may contain sensitive business data, and leaving them in a shared or long-lived temporary location can expose them to other local users, later processes, or accidental retention beyond the user’s expectation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal