Back to skill

Security audit

Customs company trade partner distribution, get partner composition including HS code breakdown, product distribution, and monthly trade dates from customs data by company ID, supporting customs trade data from 220+ countries worldwide. Helps foreign trade teams, sourcing agents, and analysts discover trading partners, analyze product categories, and map supply chain relationships — perfect for partner identification, product mix analysis, and trade network intelligence.

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid UpKuaJing customs-data API skill, with some operational risks around API-key storage, billing helpers, and a small under-disclosed version check.

Install only if you intend to use UpKuaJing's paid API. Keep UPKUAJING_API_KEY private, secure or restrict permissions on ~/.upkuajing/.env, review any top-up URL before paying, and require explicit confirmation before running commands that incur fees.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions, yet its documented behavior includes reading environment variables, reading and writing files under ~/.upkuajing/.env, and making network requests. This creates a transparency and consent problem: operators may authorize a seemingly narrow data-query skill without realizing it also accesses credentials, persists secrets locally, and interacts with external account/payment endpoints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The published purpose is a customs partner-trend query skill, but the instructions also authorize account creation, balance inspection, payment order generation, pricing queries, and update checks with local caching. That mismatch increases the chance that a user or orchestrator invokes broader, more sensitive actions than expected, including credential provisioning and payment-related flows.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file adds account-management capabilities—API key issuance, account lookup, recharge order creation, and pricing queries—that materially exceed the skill’s declared purpose of querying customs trade partner statistics. This scope mismatch is dangerous because it expands the attack surface to billing and credential workflows, enabling unauthorized or unexpected financial/account actions if the skill is invoked in broader agent contexts.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script can create recharge orders and expose payment-related functionality even though the skill is presented as a customs analytics tool. Payment initiation is a sensitive capability; if an agent or user invokes this unexpectedly, it can trigger unintended billing workflows or facilitate abuse of linked accounts.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code can request a new API key and persist it locally, which is an account-management capability unrelated to the advertised analytics function. In this context, automatic credential provisioning increases risk by letting a data-query skill bootstrap long-lived access credentials that could later be misused or exposed.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module persistently writes version-check state into a hidden directory under the user's home folder, which is unrelated to the advertised customs partner analytics function. While the stored data is limited, this creates undeclared local state, increases the skill's footprint on the host, and can surprise users or violate least-privilege expectations for an analytics skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill performs outbound network requests to a remote version API that are outside its stated customs analytics purpose. Any undeclared egress expands the trust boundary, can leak environment or usage metadata, and introduces a dependency on a remote service that could be abused for tracking or future malicious updates.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The version-check request sends the skill name to a remote API without any user-facing disclosure, which creates undisclosed metadata sharing. Although the payload is small, it still reveals installed-skill/use context and can support inventorying or correlation of user activity across systems.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
87% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
88% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
91% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
86% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
86% confidence
Finding
require_auth=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:58