Security audit

银行卡类型及真伪查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised bank-card lookup, but it sends sensitive card data and an API key to an external service with under-disclosed controls.

Install only if you trust jikeapi.cn and are comfortable sending bank card numbers and the AppKey to that service. Prefer BIN-only or test values when possible, avoid exposing full card numbers in output, keep the API key low-privilege and rotatable, and do not set JIKE_API_BASE_URL unless you intentionally want to change the API destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Tainted flow: 'url' from os.environ.get (line 202, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: """ url = f"{API_BASE_URL}{API_PATH_MAP[command]}?{urllib.parse.urlencode({**params, 'appkey': appkey})}" try: with urllib.request.urlopen(url, timeout=15) as response: return json.loads(response.read().decode("utf-8")) except urllib.error.HTTPError as exc: return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence: 95% confidence
Finding: with urllib.request.urlopen(url, timeout=15) as response:

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill asks users to submit full bank card numbers and states that data is provided by a third-party service, but it does not clearly warn that the entered card number will be transmitted to that external API. Bank card numbers are sensitive financial data, so users and calling agents may unknowingly disclose regulated or private information to a third party.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill sends full bank card numbers to a third-party API as part of normal operation, but the code provides no explicit runtime notice or consent check before transmission. Because bank card numbers are sensitive financial data, silent transmission to an external service increases privacy, compliance, and data-handling risk even though the feature is intentional.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.