批量快递查询API-快递鸟

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent shipment-tracking helper, but it publishes real-looking Kdniao API credentials and only lightly discloses the third-party data sharing involved.

Review before installing. Use your own Kdniao credentials, do not copy the example values, and treat any exposed example key as potentially compromised. Only run lookups when you are comfortable sending the tracking number and request data to Kdniao's external API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill handles tracking numbers and explicitly uses a third-party logistics API, but the documentation does not clearly warn that user-supplied shipment identifiers and related query data will be transmitted off-platform. This creates a privacy and transparency risk because users may not realize their data is being shared with an external service.

Ssd 3

High

Confidence: 98% confidence
Finding: The documentation exposes real-looking API credentials in example commands, which can lead to unauthorized use of the associated third-party account if the values are valid or mistakenly reused. Even if they are placeholders, publishing realistic secrets normalizes unsafe handling and increases the chance that operators will copy sensitive values into docs or logs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal