Security audit

成语词典 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Chinese idiom dictionary skill that calls the disclosed JikeAPI service with a user-provided API key.

Install only if you trust JikeAPI and are comfortable sending idiom queries plus your JikeAPI AppKey to that service. Do not set JIKE_API_BASE_URL unless you intentionally want to redirect traffic to a trusted endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tainted flow: 'url' from os.environ.get (line 241, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: """ url = f"{API_BASE_URL}{API_PATH_MAP[command]}?{urllib.parse.urlencode({**params, 'appkey': appkey})}" try: with urllib.request.urlopen(url, timeout=15) as response: return json.loads(response.read().decode("utf-8")) except urllib.error.HTTPError as exc: return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence: 91% confidence
Finding: with urllib.request.urlopen(url, timeout=15) as response:

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal