Bijie Express Tracking

Security checks across malware telemetry and agentic risk

Overview

This is a coherent package-tracking skill that sends user-provided shipment details to BijieServ as expected for its stated purpose.

Install only if you are comfortable sending package tracking numbers, and possibly phone or route hints when a carrier requires them, to BijieServ. Provide the minimum details needed and review returned logistics text before sharing it because it can include location information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code submits shipment metadata to a third-party service, including optional phone number and origin/destination address fields, but contains no consent flow, minimization guard, or disclosure mechanism. Because logistics data and partial contact/address information can be sensitive personal data, this creates a real privacy and data-sharing risk if users are unaware their information is being sent off-platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal