Back to skill

Security audit

海关企业贸易伙伴分布,通过企业 ID 获取海关数据中的合作伙伴结构,包括 HS 编码明细、产品分布和月度贸易日期,支持全球 220多个国家和地区的海关贸易数据。帮助外贸团队、采购代理和分析师发掘贸易伙伴、分析产品类别并绘制供应链关系图——非常适合合作伙伴识别、产品组合分析和贸易网络情报。

Security checks across malware telemetry and agentic risk

Overview

The skill’s main data-query purpose is clear, but it also handles API keys, account billing actions, and an undisclosed automatic version check with local persistence.

Install only if you are comfortable with this skill contacting upkuajing.com, using a paid API key, storing that key in ~/.upkuajing/.env, and offering account recharge/order helpers. Prefer manually provisioning the key, verify file permissions, and require explicit confirmation before any paid query or recharge action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no explicit permissions even though its documented behavior includes network access, reading and writing local files, and accessing environment-based secrets. This undermines least-privilege review and can cause users or orchestrators to authorize a skill without understanding that it can touch credentials and make external paid requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is trade-partner analysis, but the skill also performs account management actions such as reading local API keys, applying for new keys, checking balances, creating recharge orders, fetching pricing, and doing remote version checks with local caching. This expands the trust boundary beyond data lookup into credential handling, billing, and local state changes, increasing the chance of unexpected external actions or charges.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements API key issuance, account inspection, and payment-related functionality that is materially broader than the declared purpose of analyzing customs trade partner data. This increases attack surface and gives the skill financial/account-management capabilities that a user would not reasonably expect from the stated data-analysis context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Creating recharge/payment orders is unrelated to the advertised customs partner analysis workflow and introduces monetization behavior into a data-analysis skill. If invoked unexpectedly, it can steer users into financial actions they did not intend, which is risky in an agent environment where tool scope should be narrow and predictable.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Exposing account balance and platform pricing information is outside the stated trade-analysis purpose and reveals operational/account metadata not needed for the advertised task. While not immediately destructive, it broadens scope and may leak sensitive business information about account state and service usage.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module performs outbound version checks and writes persistent cache data under the user's home directory, behavior that is unrelated to the advertised customs/trade analysis function. Even if intended as product maintenance, this creates an unnecessary network-capable side channel and local persistence surface that can disclose skill usage metadata, enable tracking, or expand the blast radius if the update endpoint is compromised.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
A self-update/version-check capability is disproportionate to the stated purpose of analyzing customs partner statistics, so it represents hidden non-business functionality. Such capabilities are risky in agent skills because they normalize unsolicited network communication and can later be extended into code delivery, configuration manipulation, or user-environment fingerprinting.

Missing User Warnings

Low
Confidence
82% confidence
Finding
On HTTP errors, the code prints the full response body to stderr. If the upstream API includes sensitive business data, identifiers, or echoed request details in error responses, that information may be exposed in terminal logs, CI output, or other captured stderr sinks without redaction.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
except IOError as e:
        return {
            "success": False,
            "message": f"API密钥申请成功,但保存到 .env 文件失败:{str(e)}。\n请手动设置环境变量 {API_KEY_ENV}。",
            "envFilePath": str(env_file)
        }
Confidence
87% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
92% confidence
Finding
httpx>=0.23.0

VirusTotal

34/34 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196