Security audit

节假日安排查询 - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

This holiday-query skill does what it claims, but it handles the required API key in ways that could expose it.

Install only if you are comfortable using a Juhe API key with this script. Prefer a protected environment variable, avoid command-line key passing, do not commit scripts/.env, and check whether Juhe supports an HTTPS version of the endpoint before using the included script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script hardcodes the API endpoint as plain HTTP and includes the API key in the query string, so the credential and request data are exposed to interception or modification by any network observer or intermediary. In the context of an agent skill, this is more dangerous because users may supply a reusable API credential and expect the integration to handle it safely, but the skill silently transmits it insecurely.

Credential Access

High

Category: Privilege Escalation
Content: # 方式一：环境变量（推荐，一次配置永久生效） export JUHE_DATE_HOLIDAY_KEY=你的 AppKey # 方式二：.env 文件（在脚本目录创建） echo "JUHE_DATE_HOLIDAY_KEY=你的 AppKey" > scripts/.env # 方式三：每次命令行传入
Confidence: 86% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: export JUHE_DATE_HOLIDAY_KEY=你的 AppKey # 方式二：.env 文件（在脚本目录创建） echo "JUHE_DATE_HOLIDAY_KEY=你的 AppKey" > scripts/.env # 方式三：每次命令行传入 python scripts/holiday_query.py --key 你的 AppKey --date 2025-05-01
Confidence: 84% confidence
Finding: .env

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.