kuaidi100-logistics

The skill provides logistics tracking via the Kuaidi100 API (api.kuaidi100.com) but contains shell injection vulnerabilities. In SKILL.md, the instructions for tools like 'query_trace' and 'auto_number' direct the agent to execute curl commands where user-provided variables (e.g., kuaidiNum) are interpolated directly into a bash string, which could lead to arbitrary command execution if the input is not properly sanitized.