Back to skill

Security audit

海关企业月度贸易趋势,通过企业 ID 获取海关数据中贸易次数、数量、重量和金额的月度明细(支持可选筛选条件),支持全球 220多个国家和地区的海关贸易数据。帮助外贸团队、分析师和供应链经理分析贸易模式、监测季节性波动并跟踪长期的贸易活动——非常适合市场趋势分析、供应商销售监控和贸易流向情报。

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paid customs-data API skill, but users should notice that it stores an API key locally and includes account, recharge, pricing, and version-check helpers.

Install only if you are comfortable using a paid external API. Keep ~/.upkuajing/.env private, consider tightening its permissions, review account/recharge actions before approving them, and confirm paid queries only when you intend to incur API charges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its documented behavior includes reading environment variables, accessing files under the user's home directory, writing credentials to disk, and making network requests. This creates an authorization/transparency gap: a user or platform may permit a seemingly simple data-query skill without realizing it can access local secrets and perform external actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is company trade-trend lookup, but the skill also handles API key provisioning, local credential storage, account/balance queries, payment-order creation, pricing lookups, and version-check caching. This scope expansion is dangerous because users invoking a data lookup tool may unknowingly trigger credential, billing, or persistence-related operations beyond the advertised function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script can create recharge/payment orders even though the declared skill purpose is customs-trend analysis. This expands the skill’s effective scope into financial account operations, increasing the chance of unexpected charges, social-engineering abuse, or misuse by an agent invoking capabilities a user did not anticipate from this skill.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The account_info function exposes account identifiers and balances unrelated to the advertised analytics function. In an agent setting, unnecessary access to financial/account metadata increases privacy risk and can aid profiling, targeting, or follow-on abuse if the data is surfaced or logged.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill can provision new API keys, which is outside the declared customs-data analysis scope and introduces credential lifecycle operations into a data-analysis tool. In agent environments, this can enable unauthorized account provisioning, credential sprawl, and broader access than users expect.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module performs a network call to a remote API and writes persistent cache data under the user's home directory, even though the stated skill purpose is customs trade trend analysis. That creates unnecessary data egress and side effects outside the core business function, increasing supply-chain and privacy risk if the endpoint is compromised, misconfigured, or unexpectedly invoked in restricted environments.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes self-update checking capability that is unrelated to querying customs-company trends, which broadens the trust boundary and gives the skill an extra communication channel. Even without automatic code download, this pattern can be abused for tracking, environmental probing, or as part of a larger supply-chain mechanism that users do not expect from a data-analysis skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes a newly issued API key to a local .env file automatically without a user confirmation at the write point. This can persist credentials in plaintext in a predictable location, where they may be exposed through weak filesystem permissions, backups, logs, or later accidental disclosure.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The request helper transmits arbitrary params to a remote API and contains built-in request/response logging that can persist full payloads and server responses to disk when enabled. Because these payloads may contain user-supplied business data or sensitive results, enabling logging can create local data exposure without redaction, retention limits, or explicit user awareness.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
92% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
91% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
86% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
86% confidence
Finding
require_auth=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196