批量快递查询-快递鸟

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised courier-tracking lookup, but users should know it sends tracking numbers to Kdniao and uses a realistic-looking credential example.

Install only if you are comfortable sending shipment tracking numbers to Kdniao using your own Kdniao API credentials. Replace the sample credential with your own secret, do not publish real credentials in docs or logs, and avoid overriding the API URL unless you trust the destination because credentials are included in the request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill requires sending user-provided tracking numbers to a third-party API and depends on API credentials, but the documentation does not clearly disclose this external data transfer or obtain user awareness/consent. This can create privacy and compliance risks, especially because shipment identifiers may reveal sensitive personal or commercial activity when transmitted to an external service.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The documentation includes a concrete-looking API credential example in environment variable setup instructions. Even if intended as a sample, publishing realistic secret material trains unsafe handling patterns, may lead users to reuse exposed values, and creates ambiguity about whether a real credential has been disclosed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal