Security audit

UAPI 查询 MC 服务器接口

Security checks across malware telemetry and agentic risk

Overview

This is a simple read-only Minecraft server status lookup skill with some overly broad routing keywords, but no hidden execution, persistence, or destructive behavior.

Install this if you want Minecraft server status lookups through uapis.cn. Be aware that the server address you ask about may be sent to that external service, and do not rely on this skill for Minecraft player lookup or name-history tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description includes broad English triggers such as 'serverstatus', 'minecraft player lookup', and 'minecraft name history' even though the skill only wraps a single Minecraft server-status endpoint. This can cause incorrect routing to this skill for requests that target different functionality, leading the agent to call the wrong API, mishandle user intent, or expose unrelated data flows through unintended invocation.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The listed keyword set explicitly contains ambiguous triggers not specific to this endpoint, including generic terms like 'serverstatus' and unrelated intents like 'minecraft player lookup' and 'minecraft name history'. In an agent-routing context, such ambiguity increases the chance of unintended skill activation, causing incorrect API usage and potentially misleading results presented as authoritative.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill enables implicit invocation without defining narrow trigger constraints, so an agent may call this external API based on loose semantic matching rather than explicit user intent. In a benign read-only status lookup skill this is less severe than a mutating action, but it still increases the chance of unintended tool use, unnecessary external requests, and disclosure of user-provided server identifiers to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.