Back to skill

Security audit

海关企业基础贸易统计,通过企业 ID 查询海关数据中该企业的贸易次数、重量、数量、金额及合作伙伴数量,支持全球 220多个国家和地区的海关贸易数据。帮助外贸团队、分析师和研究人员获取汇总的贸易摘要,评估企业贸易规模,以及评价合作伙伴网络——非常适合供应商筛选、买家验证和贸易情报分析。

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid API helper for querying company trade statistics, with expected credential and recharge support but no evidence of deception or harmful behavior.

Install only if you are comfortable with a paid third-party API skill that stores an API key in ~/.upkuajing/.env, may create a recharge payment URL when balance is insufficient, and performs a small automatic version check/cache under ~/.upkuajing. Confirm each paid query before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly requires network access, reading environment variables and local files, and writing to ~/.upkuajing/.env. This mismatch weakens user consent and platform enforcement because the agent may perform sensitive operations that are not transparently declared.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is trade-statistics lookup, but the skill also supports account lifecycle and monetization actions such as applying for API keys, reading/storing credentials, checking balances, creating recharge orders, and version-checking/caching. These additional behaviors materially expand the attack surface and could trigger credential handling or paid transactions beyond what a user would reasonably expect from the description.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script implements API key provisioning, account lookup, recharge order creation, and pricing queries, which materially exceed the declared purpose of a skill that should only retrieve customs import/export trade statistics. This scope mismatch increases the attack surface and introduces payment/account-management capabilities that could be abused if the skill is invoked in an unexpected context.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Creating recharge orders is unrelated to customs trade-statistics retrieval and gives the skill a financial side effect. In an agent environment, this can enable unauthorized payment initiation or social-engineering-style abuse by surfacing payment URLs where users expect passive analytics.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Account balance and pricing queries expose account metadata and commercial information outside the skill’s stated data-analysis function. While less severe than payment initiation, these features still broaden access to sensitive operational details and can aid account reconnaissance or targeted abuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This module creates and writes a persistent cache file under the user's home directory for version-check state, which is outside the skill's stated purpose of customs trade statistics retrieval. While not inherently malicious, undisclosed persistent local state expands the skill's behavior and can surprise users, leave residual artifacts, and create privacy or policy-compliance concerns in constrained environments.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code performs an outbound network request to a remote version API that is unrelated to the advertised business function of collecting customs-company statistics. Hidden secondary communications increase attack surface and can leak metadata about installed skills and usage timing, especially because the check is triggered automatically during normal operation.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The version check sends the skill name to a remote API without any user-facing disclosure in this file. Although the transmitted data is limited, it still reveals installed component metadata and operation timing, which can be sensitive in enterprise or restricted environments when sent silently.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
97% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
except IOError as e:
        return {
            "success": False,
            "message": f"API密钥申请成功,但保存到 .env 文件失败:{str(e)}。\n请手动设置环境变量 {API_KEY_ENV}。",
            "envFilePath": str(env_file)
        }
Confidence
84% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
96% confidence
Finding
httpx>=0.23.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196