Back to skill

Security audit

星座查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward zodiac lookup that sends the requested sign and a Jike API key to the disclosed Jike API, with a caution about an optional API host override.

Install only if you are comfortable sending zodiac lookup terms and a Jike AppKey to Jike's API. Prefer a dedicated AppKey, avoid passing the key via --key where shell history may capture it, and leave JIKE_API_BASE_URL unset unless you intentionally point it to a trusted compatible endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tainted flow: 'url' from os.environ.get (line 139, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"""
    url = f"{API_BASE_URL}{API_PATH}?{urllib.parse.urlencode({**params, 'appkey': appkey})}"
    try:
        with urllib.request.urlopen(url, timeout=15) as response:
            return json.loads(response.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence
94% confidence
Finding
with urllib.request.urlopen(url, timeout=15) as response:

External Transmission

Medium
Category
Data Exfiltration
Content
直接调用 API:

```text
GET https://api.jikeapi.cn/v1/zodiac_sign?name=双鱼座&appkey=YOUR_APPKEY
```

## AI 使用步骤
Confidence
81% confidence
Finding
https://api.jikeapi.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.