Security audit

中文快递追踪

Security checks across malware telemetry and agentic risk

Overview

This courier-tracking skill is coherent: it queries kuaidi100 and keeps a small local tracking list, both of which are disclosed and aligned with its purpose.

Install only if you are comfortable sending parcel tracking numbers to kuaidi100 for lookup and keeping saved tracking numbers/statuses in a local JSON file. Use the documented delete or clear commands, or remove the JSON file, if you do not want retained shipment history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation describes network access to a third-party logistics API and local persistence of tracking data, but no corresponding permissions are declared. This weakens user consent and platform enforcement, because the skill can transmit tracking numbers externally and write sensitive shipment metadata locally without an explicit permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The stated purpose focuses on querying shipment status, but the skill also maintains a persistent tracking database with add/list/delete/clear operations and cached status history. This mismatch matters because users may expect a transient lookup tool, not ongoing local retention of package identifiers and delivery status, which can reveal purchasing activity and personal logistics patterns.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill stores tracking numbers and shipment status in a local file under the user's home directory, which goes beyond the stated real-time lookup behavior in the manifest. Tracking numbers and delivery status can reveal sensitive personal activity, and undisclosed retention increases privacy risk if the host or local account is shared or later compromised.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code implements add/list/delete/clear saved-tracking workflows that are not reflected in the manifest description, so users may not expect their shipment data to be retained and managed over time. This mismatch creates a transparency and consent problem around storage of potentially sensitive logistics information.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Broad trigger phrases such as '快递', '物流', and '单号' can cause accidental activation during ordinary conversation. In this skill's context, unintended invocation could lead to tracking-number processing, local storage updates, or external API queries without the user meaning to use the tool.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation mentions a local JSON storage path but does not clearly warn users that tracking numbers and recent logistics status will be persistently stored. Shipment identifiers and status history can be sensitive, as they may reveal commerce activity, addresses, timing, or personal associations on shared devices.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill states that it uses the 快递100 external query interface but does not explicitly warn that users' tracking numbers will be transmitted to a third-party service. Tracking numbers are sensitive identifiers, and sending them off-device without clear notice can create privacy and data-sharing risks beyond what users expect from a simple assistant skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends user tracking numbers to kuaidi100, a third-party service, without any user-facing notice or consent flow in the code path. Tracking numbers may be personal data because they can expose merchants, shipment timing, and delivery status tied to a user's activity.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The clear-all command irreversibly deletes all stored tracking entries without confirmation, making accidental data loss likely from ambiguous or mistaken user input. While this is primarily an integrity/usability issue rather than a confidentiality breach, it can still harm users who rely on the saved list.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.