ClawHub

Restaurant Crosscheck CN

Security checks across malware telemetry and agentic risk

Overview

This restaurant-checking skill is mostly transparent about scraping, but it saves logged-in browser sessions and promotes anti-detection scraping techniques that users should review carefully.

Install only if you are comfortable logging into Dianping and Xiaohongshu through this tool, saving those browser sessions locally, and scraping sites that may restrict automation. Use a virtual environment, inspect setup.sh first, consider separate accounts, avoid shared machines, review platform terms, and delete ~/.local/share/restaurant-crosscheck/sessions when you no longer need the saved logins.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill documentation indicates capabilities that require network access, local file reads/writes, and likely browser/session persistence, yet no permissions are declared. This creates a transparency and consent problem: a user or host system may invoke a skill expecting simple recommendation logic, while it can access the network and store local artifacts such as session data or outputs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose is a restaurant cross-checking tool, but the described behavior expands into live browser automation, manual login handling, persistent session storage, and writing data to the Downloads directory. That mismatch is dangerous because it obscures sensitive operations involving authenticated accounts and local data persistence, increasing the risk of credential exposure, privacy leakage, and user deception about what the skill actually does.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation document describes a substantially broader capability set than simple restaurant recommendation cross-checking, including automated scraping, persistent sessions, and a one-click setup flow. This scope expansion is dangerous because it normalizes collection of authenticated live data and browser automation features that increase the attack surface and can hide undeclared behaviors from users and reviewers.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Persistent login/session management is sensitive capability because saved cookies and localStorage tokens can grant ongoing authenticated access if exposed, copied, or misused. In a skill whose stated purpose is recommendation validation, retaining long-lived sessions is not clearly necessary and materially raises the risk of credential/session theft and account abuse.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security section claims the skill does not handle sensitive information, yet the same document states it persists cookies and localStorage session state. This contradiction is dangerous because it can mislead users and reviewers into underestimating the sensitivity of stored authentication artifacts, reducing appropriate safeguards around session handling.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The README explicitly advertises anti-detection behavior and persistent browser sessions, which are higher-risk capabilities because they facilitate stealthier scraping and longer-lived authenticated access. In an agent skill context, normalizing these features without clear safeguards can enable account misuse, reduce auditability, and encourage evasion of platform protections.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide explicitly states the current server version uses simulated data only, while the skill metadata claims it cross-references Xiaohongshu and Dianping to produce validated recommendations. This mismatch can mislead users or downstream agents into treating fabricated/demo output as trustworthy real-world intelligence, creating integrity and decision-making risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Early usage examples present the skill as if it automatically returns real restaurant recommendations through the integrated dialog flow, but later sections disclose that the current version only emits simulated data and is not suitable for actual decisions. That inconsistency is a security-relevant deception/integrity issue because agents may invoke and rely on output under false assumptions of authenticity.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill is described as an automated cross-platform validation tool, but this file states the functionality depends on scraping sources that prohibit such access and restrict use to personal research. This creates a real trust and compliance risk: users may deploy the skill in operational or commercial settings under false assumptions, leading to policy violations, account blocks, or legal exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation explicitly recommends rotating residential proxies to sustain access to a platform that employs anti-scraping controls. That is an evasion technique aimed at bypassing platform restrictions, which materially increases the risk of abusive collection, account or IP bans, and legal or contractual violations beyond the stated restaurant-validation purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Requiring logged-in cookies and periodic re-authentication for Xiaohongshu gives the skill access to authenticated sessions that are not necessary for a simple recommendation cross-check. This expands the capability surface to include session handling and potential misuse of user accounts, increasing privacy, security, and terms-of-service risks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented anti-detection measures—human-like delays, rotating user agents, cookie jars, and related scraping evasions—are not merely implementation details; they describe techniques for defeating platform defenses. In the context of a restaurant recommendation skill, these capabilities are unjustified and make the skill more dangerous because they operationalize stealthy unauthorized data collection.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code launches a persistent Playwright browser context rooted at DIANPING_SESSION, which stores cookies, local storage, and other session artifacts on disk. For a restaurant review cross-check skill, retaining browser state is not necessary for the stated purpose and expands the skill's ability to preserve authentication state or user browsing data beyond a single run.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
On failure, the scraper writes a screenshot to ~/Downloads/dianping_debug.png, creating an unrelated local-file side effect for a read-oriented scraping task. Screenshots can capture page contents, logged-in state, or other sensitive on-screen data, and writing into a user-facing directory increases exposure and surprise.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented auto-trigger rules are broad enough to match many ordinary food or location queries, which can cause the skill to run unexpectedly. In an agent environment, over-broad triggering increases the attack surface by causing unnecessary external data access, unintended tool invocation, and possible leakage of user context to the skill when the user did not explicitly request cross-platform review aggregation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to authenticate with a long-lived API token directly on a server but provides no warning about secure token handling, shell history exposure, process-list leakage, or least-privilege practices. In a publishing workflow, this can lead to credential disclosure and unauthorized publishing or account compromise if the token is exposed on shared infrastructure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quickstart instructs users to log into Dianping and Xiaohongshu and states that login state will be saved for 1–2 weeks, but it does not warn that authenticated session artifacts may grant account access to anyone who can read those files. In a skill that automates browser-based scraping, locally stored cookies/tokens are sensitive secrets; omitting storage location, protection expectations, and sharing risks can lead to accidental credential/session exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to log into two third-party platforms and states that sessions are automatically saved for 7 days, but provides no warning about where tokens/cookies are stored, how they are protected, or the privacy/account compromise risks. Persisted authenticated sessions are sensitive secrets; if stored insecurely or reused by an agent, they can allow unauthorized access, account takeover-like abuse, or unintended cross-user data exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Promoting anti-detection scraping without any warning about privacy, account suspension, or platform-abuse risks is dangerous because it encourages evasive automation against third-party services. In this skill's context, the combination of visible-browser automation, persisted sessions, and anti-detection framing makes misuse more plausible and raises the likelihood of stealthy unauthorized or policy-violating collection.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The suggested trigger phrases are broad everyday restaurant queries that can overlap with normal conversation, increasing the chance the skill is auto-invoked unexpectedly. In an agent system, overly broad routing can cause unintended tool execution, misleading output, or unneeded data processing, especially here because the tool may return simulated results presented as recommendations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The markdown instructs use of scraping with authentication cookies and discusses anti-scraping measures, but provides no warning about handling authenticated account data or the privacy implications of collecting and storing session material. In context, this is risky because cookies and session state can grant account access, and users are not informed about retention, storage location, or exposure risks.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code launches a persistent Playwright browser context using a stored session directory, which reuses authenticated cookies and other browser state for scraping. In an agent skill context, this creates privacy and consent risks because the skill can act with a retained logged-in session without any visible disclosure, user confirmation, or scope restriction, potentially exposing account data or performing actions under that identity if the target site behavior changes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
thefuzz>=0.20.0
Confidence
93% confidence
Finding
playwright>=1.40.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
thefuzz>=0.20.0
Confidence
92% confidence
Finding
thefuzz>=0.20.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Restaurant Review Cross-Check Skill Dependencies

# Web scraping
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
Confidence
96% confidence
Finding
requests>=2.31.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal