apihz-cn

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ApiHz API wrapper, but it can expose API credentials through insecure HTTP and query-string requests, so it needs review before use.

Review before installing. Use only HTTPS endpoints, avoid APIHZ_LIST_URL or APIHZ_BASE_URL values that start with http://, use a low-value or scoped ApiHz key, rotate any key shown in the test report or used with this version, and do not enable the cron check-in unless you accept recurring credentialed account requests. Avoid sending sensitive personal identifiers through this provider unless you have approved that data flow, and use the port-scan feature only on systems you are authorized to test.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (18)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The skill is presented as a general API access wrapper, but the documentation reveals additional behaviors such as local credential storage, account verification, API catalog syncing, and automated daily check-in. This mismatch matters because users may authorize or install the skill expecting simple API calls, while it also persists secrets and performs account actions that expand the trust boundary and attack surface.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The changelog documents functionality that materially exceeds a narrow 'API access' skill, including local credential encryption/storage and local cache persistence. Scope expansion like this increases the attack surface and can enable secret handling and persistent local state without that risk being clearly justified by the stated purpose, which is a security concern even if the features were added for convenience rather than abuse.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: An automated check-in task is unrelated to the core purpose of querying APIs and introduces scheduled or repeatable external actions. Even if intended as an account convenience feature, automation can create opportunities for unauthorized background activity, credential misuse, persistence-like behavior, or abuse of the user's environment if enabled without very clear consent and boundaries.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The document claims credentials are protected with AES-256-GCM at rest, yet it also instructs users to store secrets in plaintext environment variables and plaintext credential files. Security claims that overstate protection can cause users to lower their guard and store valuable API secrets under false assumptions, increasing the risk of credential exposure from local compromise, backups, logs, or misconfigured file permissions.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The comments claim backup nodes are only used for non-sensitive queries, but multiple later code paths send id/key credentials to HTTP backup servers for account verification, API listing, dynamic parameter retrieval, and full API enumeration. This creates a clear confidentiality risk because credentials can be intercepted or modified in transit via man-in-the-middle attacks.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The client exposes active reconnaissance functions (`ping` and `portScan`) that go beyond the skill's marketed purpose of general enterprise utility APIs like weather, translation, and lookup services. Even if implemented as wrappers around a third-party API, these capabilities can be abused to probe internal or external infrastructure, making the skill materially more dangerous than its description suggests.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The `portScan` method provides direct access to port-scanning behavior with attacker-controlled target IPs and port ranges. In an agent context, this can be repurposed for unauthorized reconnaissance against third-party or internal hosts, which is a classic precursor to intrusion and is not justified by the stated utility-focused skill purpose.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README instructs users to obtain a developer ID and key and use them with an external API endpoint, but it does not warn that these credentials are sensitive or that requests transmit user-supplied data to a third-party service. In an agent skill context, this omission can lead operators to unknowingly expose secrets or send potentially sensitive inputs off-platform without informed consent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The report includes an API KEY value/credential fragment directly in the document, and later repeats a visible prefix of the key in test output. Even if described as encrypted at rest, exposing secrets in documentation materially increases the risk of credential theft, unauthorized API usage, quota exhaustion, and potential account compromise; the text asserting release readiness without a prominent warning makes this worse, not safer.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The document advertises automatic sign-in, credential reading, and large-scale API synchronization/network access, but does not provide a consolidated warning about account actions, outbound requests, rate usage, or user consent. In an agent skill context, this matters because users may trigger account-affecting and network-intensive behavior without understanding what data is accessed or what remote systems are contacted.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This script sends the account ID and API key in URL query strings and may fall back to plain HTTP backup endpoints. That exposes credentials to interception by network attackers and to leakage via logs, proxies, browser/history equivalents, or monitoring systems that record full URLs. In the context of an automated check-in skill that reads stored credentials from disk, this is especially dangerous because the secret is transmitted unattended on a schedule.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code constructs URLs containing id and key query parameters against HTTP backup servers and even bypasses the safer request wrapper in getAllApis to force direct HTTP requests. Query-string credentials over cleartext transport are easily exposed to network observers, proxies, logs, and intermediaries, enabling credential theft and account misuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The initialization instructions explicitly tell users to place the API key in plaintext in a credentials file, while encryption only happens later if saveConfig is used. This creates an avoidable exposure window where secrets may be stored unencrypted on disk, copied into shell history/editor backups, or committed accidentally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The API list endpoint is configurable and defaults to plain HTTP, while the generic request method always appends the client's id and key to all requests. That means credentials can be sent in cleartext to the API list/CDN endpoint or any overridden host, enabling interception or credential theft via network attackers or a malicious endpoint. The broader skill context increases risk because this client is explicitly designed to handle enterprise API credentials and also permits environment-variable override of the destination URL.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The generic request layer automatically sends API credentials along with user-supplied parameters to an external service, but the code shows no consent, disclosure, minimization, or safeguards around what data is transmitted. In agent deployments, users may not realize their inputs and the operator's credentials are being relayed to a third-party endpoint, creating privacy and trust risks.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The lookup methods for IP, phone number, and ID card transmit potentially sensitive personal data to an external API service without any visible warning, consent flow, or locality/privacy checks. This creates significant privacy and compliance risk because personal identifiers may be processed by a third party without user awareness or authorization.

External Transmission

Medium

Category: Data Exfiltration
Content: | 集群 IP | `http://101.35.2.25/api/...` | 速度快，CC 防火墙严格 | ⭐⭐ 备用 | | VIP 线路 | `https://vip.apihz.cn/api/...` | 超高稳定，CC 防火墙宽松 | ⭐⭐⭐⭐ 企业 | **获取最优 IP:** 访问 `https://api.apihz.cn/getapi.php` 获取当前最优 IP 地址 **示例 (天气 API):** ```bash
Confidence: 84% confidence
Finding: https://api.apihz.cn/

External Transmission

Medium

Category: Data Exfiltration
Content: - 🟢 **域名接口** (默认): `https://cn.apihz.cn` - 自动分发，CC 防火墙适中 - 🟢 **集群 IP**: `http://101.35.2.25` 等 - 速度快，CC 防火墙严格，定期更新 - 🟡 **VIP 线路**: `https://vip.apihz.cn` - 超高稳定，CC 防火墙宽松 (需购买) - 📖 **获取最优 IP**: 访问 `https://api.apihz.cn/getapi.php` 获取当前最优 IP 4. **网络传输:** - ✅ 主 API 使用 HTTPS 加密 (`https://cn.apihz.cn`)
Confidence: 84% confidence
Finding: https://api.apihz.cn/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal