ClawHub

clawreach-buy-plugin 虾淘

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real marketplace automation plugin, but it needs Review because it can run background negotiations, store login tokens, mutate OpenClaw session state, and log/send account or contact data with incomplete disclosure.

Install only if you are comfortable letting this plugin connect to ClawReach/虾淘 services, keep login tokens locally, log transaction-related data, receive background WebSocket events, and automatically negotiate within configured limits. Review or disable autoReplyBargain if you do not want silent counteroffers, and clear ~/.openclaw/plugins/clawreach-buy if you later want to remove stored account state and logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (52)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment at L07220-L07223 states the lowball path 'always returns false' and 'does not intercept event delivery'. However, the caller at L07299-L07303 checks the return value and would stop processing when it is truthy, creating an active contradiction between the documented intent and the implemented control flow contract. Even if the current implementation returns false today, the surrounding code treats it as a blocking decision point.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The generated instruction text at L10398-L10405 explicitly tells the agent that the code has already been sent and it must not call the tool again to send it. But the skill still exposes and relies on `clawreach_register_or_login` for sending codes when called without a code (L08599-L08639), so the embedded operational instruction can contradict actual behavior available in the same skill. This is an intent/documentation divergence that could mislead the agent's next action.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The embedded onboarding text explicitly instructs the agent not to mention '绑定 AI 助手' or '绑定 OpenClaw' as if those capabilities do not exist. However, the same source bundle includes code that reads OpenClaw root config, mutates plugin settings, clears session prompt caches, and recovers runtime/session state for OpenClaw integration, showing the plugin is actively coupled to OpenClaw binding/runtime behavior.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
With no manifest purpose available, the code still reads and writes local files under the user's home directory, loads ~/.openclaw/openclaw.json, persists auth tokens and pending deliveries, and rewrites runtime/session configuration state. These are powerful host-environment capabilities that are not justified by any declared skill purpose in the provided context.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code communicates extensively with remote services: REST API calls, websocket connections, token refresh, magic-login issuance, and image uploads to a remote backend. In the absence of a manifest-defined purpose, these externally connected account-management and data-transfer capabilities are unjustified relative to the unknown scope.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Because no manifest is available, the skill's intended purpose is unknown. This file explicitly instructs the agent to hide a failed `clawreach_get_bargain` call from the user and continue operating, which is a consequential behavioral policy rather than an obvious implementation detail of an unspecified skill purpose.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This markdown file describes binding a 虾淘 account and later exchanging联系方式, which affects user privacy and account data. The README explains the features but does not provide an explicit user warning about sharing account-related information and contact details with the plugin/service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that the plugin will handle bargaining according to the user's底价策略 and automatically reject low offers. Because this can affect transactions and user outcomes, the markdown should explicitly warn users that negotiation actions may occur automatically once enabled or configured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes authentication state, including bearer/refresh tokens and user email, to a local file under the user's home directory via `flush()` and `setAuth()`. While this persistence may be functional, there is no nearby user-facing prompt, log, comment, or docstring warning that credentials and account data will be stored on disk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The plugin appends structured logs to `events.jsonl`, including tool arguments, error content, and later event/message payloads, and stores them under the user's home directory. This is a file write involving potentially sensitive conversational and account-linked data, but the code provides no user-facing warning that such data is being logged locally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`apiRequest()` sends HTTP requests to the remote API with bearer tokens and JSON payloads, and many callers transmit email addresses, contact details, and bargaining data. The file lacks any user-facing disclosure, prompt, or explanatory comment warning that personal/account data will be transmitted to remote services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The WebSocket URL is constructed with `?token=...` and then used to connect to the remote service, which transmits authentication material over the network and may also surface in logs or intermediaries. There is no in-file user warning that a persistent authenticated WebSocket session will be established using the stored token.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The onboarding instruction block explicitly tells the agent to say fixed Chinese text to the user and forbids modification, with no mechanism to respect the user's language preference. This is a locale/language policy issue because the skill enforces a specific language rather than offering choice or documenting a justified locale restriction.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The startup notification instructs the agent to directly tell the user a fixed Chinese message and forbids adding other content. Because it does not provide language selection or opt-in, it forces a Chinese-language interaction regardless of user preference.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
This source map embeds multiple natural-language instructions and user-facing strings in Chinese, including explicit directives such as '直接对用户说' and fixed Chinese response templates from the bundled plugin sources. Because the file contains no indication of user language choice or opt-in, this enforces a specific language/locale policy across user-visible behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This manifest describes the plugin as automatically listing, sourcing, bargaining, and completing trades, and also notes automatic gateway restart post-install. For a manifest file, SQP-2 applies via the markdown branch only, so the key issue here is the lack of any explicit warning to users about potentially impactful autonomous marketplace actions and account-binding behavior despite describing actions that could affect user data and transactions.

Natural-Language Policy Violations

Low
Confidence
93% confidence
Finding
The user-facing name, description, and post-install notes are presented solely in Chinese, which imposes a locale/language choice without offering an alternative or obtaining user opt-in. Under the policy rule, forcing a specific language is a natural-language policy concern unless the skill is explicitly documented as region-specific or provides language choice.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
The manifest description is written entirely in Chinese and does not indicate that the plugin is intended only for a Chinese-speaking or region-specific audience, nor does it offer any language choice. Under the policy criteria, forcing a specific language without user opt-in can be a natural-language policy violation.

Vague Triggers

Medium
Confidence
96% confidence
Finding
This markdown file says users can send "the content I want to register" without defining what kinds of content are in scope, how the skill is triggered, or any exclusions. That phrasing is broad enough to overlap with ordinary contact-related conversation and does not provide clear trigger boundaries or negative examples.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The description is written as a prescriptive Chinese-only behavior statement for the skill, and the rest of the file consistently instructs the agent in Chinese with no opt-in or alternative language handling. Under the policy, forcing a specific language without user choice is a natural-language policy violation unless the locale restriction is explicitly justified.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file consistently mandates Chinese-language interaction and references fixed Chinese phrasing for user-visible content. There is no indication that the user can choose another language or that the locale restriction is explicitly justified as a region-specific requirement.

Vague Triggers

Medium
Confidence
91% confidence
Finding
This markdown line says users can send 'the content I want to register' without specifying exact trigger phrases, scope, or boundaries for when the skill should activate. The phrasing is broad and could overlap with ordinary conversation, making unintended invocation more likely.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This markdown file describes state-changing operations: saving a product draft and later submitting it for review. While it requires final confirmation before submission, it does not explicitly disclose to the user that choosing price or editing fields updates persisted draft data on the platform, which is a user-data-affecting operation.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The document is entirely in Chinese and includes a fixed required confirmation phrase in Chinese ("确认上架"), but does not indicate that the user may choose another language. Per the policy, forcing a specific language without user opt-in is a natural-language policy concern unless the locale restriction is explicitly documented and justified.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The instruction text requires the agent to respond in Chinese and in a colloquial style, but there is no indication that the user selected Chinese or that the skill is limited to a Chinese-language context. This creates a natural-language policy issue because it imposes a specific language/locale without opt-in.

VirusTotal

55/55 vendors flagged this plugin as clean.

View on VirusTotal