Security audit

中文快递查询（免api）

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Chinese package-tracking helper that shares tracking numbers with Kuaidi100 to perform the lookup.

Install only if you are comfortable sending package tracking numbers, and possibly a phone-number last-four suffix for some SF lookups, to Kuaidi100. Use it for explicit Chinese courier tracking requests and avoid providing extra personal details unless the carrier lookup requires them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger language is very broad, including generic phrases like '帮我查个快递', '快递到哪了', '查一下物流', and 'Use for ANY Chinese express tracking requests.' Overbroad routing can cause the skill to activate in situations where the user did not clearly intend to invoke it, increasing the chance of unnecessary disclosure of tracking numbers or misrouting user requests to a networked tool.

Natural-Language Policy Violations

Medium

Confidence: 73% confidence
Finding: The skill is documented entirely as a Chinese express-tracking tool and frames usage in Chinese without indicating that language preference should be derived from the user or that output language is optional. This can lead to poor consent and usability outcomes, especially if the system routes non-Chinese-speaking users into a skill that responds or prompts in Chinese by default.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends the user's tracking number to kuaidi100.com over the network without any explicit notice, consent flow, or privacy warning. Tracking numbers can be sensitive because they may reveal purchase activity, address-linked shipment status, and other personal logistics metadata to a third party outside the agent's control.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.