Back to skill

Security audit

国内猪肉价格实时查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it queries Jike’s pork-price API with a user-provided API key, with no hidden persistence or unrelated local access found.

Install only if you are comfortable giving this skill a Jike API key and sending pork-price lookup requests to Jike’s API. Use a dedicated low-privilege key if possible, avoid sharing logs or full URLs that contain appkey values, and do not set JIKE_API_BASE_URL unless you intentionally want to redirect requests to a trusted endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tainted flow: 'url' from os.environ.get (line 146, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
params["province"] = province
    url = f"{API_BASE_URL}{API_PATH}?{urllib.parse.urlencode(params)}"
    try:
        with urllib.request.urlopen(url, timeout=15) as response:
            return json.loads(response.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence
89% confidence
Finding
with urllib.request.urlopen(url, timeout=15) as response:

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code places the AppKey in the URL query string, which is commonly logged by proxies, web servers, observability tooling, browser/history layers, and error messages. Even when HTTPS is used, query-string secrets have a higher chance of accidental disclosure than headers or request bodies.

External Transmission

Medium
Category
Data Exfiltration
Content
直接调用 API:

```text
GET https://api.jikeapi.cn/v1/pork/query?province=四川&appkey=YOUR_APPKEY
```

## AI 使用步骤
Confidence
78% confidence
Finding
https://api.jikeapi.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.