Back to skill

Security audit

中文快递查询

Security checks across malware telemetry and agentic risk

Overview

This is a simple Chinese package-tracking skill with privacy and completeness caveats, but no evidence of hidden, destructive, persistent, or credential-stealing behavior.

Install only if you are comfortable using a third-party logistics lookup for package tracking. Do not submit tracking numbers or phone-number fragments for shipments you are not authorized to check, and verify that any referenced helper script is actually present and reviewed before allowing an agent to run it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The phrase 'Use for ANY Chinese express tracking requests' instructs maximal invocation scope and bypasses normal caution about ambiguous requests. This makes accidental activation more likely and increases the risk that user-provided package identifiers are sent to a third-party logistics site in situations where a clarifying question should have been asked first.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The phrase 'Use for ANY Chinese express tracking requests' instructs maximal invocation scope and bypasses normal caution about ambiguous requests. This makes accidental activation more likely and increases the risk that user-provided package identifiers are sent to a third-party logistics site in situations where a clarifying question should have been asked first.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that data comes from kuaidi100.com but does not warn users that their tracking number will be transmitted to a third-party service. Tracking numbers can reveal delivery status, merchant relationships, approximate location history, and sometimes personal shipment context, so silent disclosure creates a privacy risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.