China Express Query

Security checks across malware telemetry and agentic risk

Overview

This courier-tracking skill is mostly purpose-aligned, but it can silently show fabricated tracking-like results when real lookups fail.

Install only if you are comfortable sending tracking numbers to Kuaidi100 and Baidu. Do not rely on a successful-looking result unless the maintainer fixes or clearly labels the fallback behavior, because failures may be displayed as if tracking information exists.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script transmits user-supplied tracking numbers to external services (kuaidi100.com and a Baidu backup endpoint) without any explicit consent, warning, or privacy notice. Tracking numbers can reveal shipment activity and may be linkable to an individual's purchases, address, or identity, so silent third-party transmission creates a real privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal