Back to skill

Security audit

域名有效性检查,验证企业网站域名有效、无效状态。帮助销售团队、市场人员和研究人员检查公司域名、提升邮件触达率——是 CRM数据清洗、销售线索验证、供应商核验、邮件列表清洗的必备工具,适用于外贸邮件群发前清洗、招聘背调与采购商核实。

Security checks across malware telemetry and agentic risk

Overview

This is a paid domain-checking skill whose credential, account, and recharge helpers are disclosed and mostly user-directed, with some local-secret and update-check caveats.

Before installing, understand that this skill uses an external paid API, stores or reads an API key at ~/.upkuajing/.env, and can help create recharge orders and payment links. Only approve domain checks or recharge actions when you expect charges, verify payment URLs before opening them, and protect the local API key file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions, yet its documented behavior requires reading environment variables, accessing local files like ~/.upkuajing/.env, writing credentials to disk, and making network calls. This mismatch weakens user oversight and informed consent, because an apparently narrow domain-checking skill can access credentials and perform side-effecting operations without explicit permission disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented functionality goes well beyond domain validation: it can request and persist new API keys, inspect account status, create recharge orders, retrieve pricing, and cache remote version data. That description-behavior mismatch is dangerous because users invoking a validation tool may not expect credential provisioning, billing actions, or local state changes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to apply for a new API key and automatically write it into ~/.upkuajing/.env when one is missing. For a domain-checking skill, creating credentials and persisting them locally exceeds the least-privilege scope and introduces credential-handling risk, especially if the user did not explicitly request local storage.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Embedding recharge, order creation, and payment-link generation inside a domain validation skill broadens the attack surface into financial workflows unrelated to the core function. Even with a confirmation step, combining validation and billing can lead to confused-deputy behavior, where users trigger purchase-related actions through a tool they perceive as a simple checker.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements account authentication, API key issuance, billing, and pricing operations that are unrelated to the declared domain-validation skill. This mismatch expands the skill’s privilege and behavior surface, increasing the risk of undisclosed credential provisioning and monetization actions under a misleading capability label.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Generating recharge orders and payment URLs has no clear operational need for domain validity checking, yet it enables financial actions from within the skill. In a mislabeled skill, this creates a strong risk of unexpected account charges, abuse of user trust, or hidden monetization workflows.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill can request a new API key from a remote service and persist it locally, which exceeds the reasonable scope of a domain-validation utility. This introduces credential lifecycle behavior users may not expect, raising the risk of unauthorized account binding, secret sprawl, and hidden dependency on external services.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module-level documentation explicitly states it is for authentication management, directly conflicting with the advertised domain-validation purpose. Such a discrepancy is a serious trust and supply-chain concern because users and reviewers may approve the skill for one function while it performs another.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This module performs outbound version checks and persistent local caching that are unrelated to the declared domain-validation function of the skill. While not overtly malicious, hidden auxiliary network behavior expands the skill's attack surface, leaks metadata about installed skills, and creates trust concerns because users invoking a domain-checking tool would not reasonably expect extra remote telemetry and filesystem writes.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code introduces self-update checking capability that is not necessary for domain validation and triggers an external HTTP request during normal use. Such unexpected remote behavior can be repurposed for tracking, policy bypass, or future delivery of misleading upgrade prompts, especially because it is tied to routine API activity rather than an explicit maintenance action.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code writes a freshly obtained API key into a local .env file without an explicit pre-write warning or consent flow. This can surprise users, leave secrets in plaintext on disk, and increase the chance of accidental exposure through backups, logs, or permissive file access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script contacts a remote endpoint to create a new API key without clearly disclosing to the user that credential material will be requested from an external service. In the context of a mislabeled skill, that lack of transparency makes the network action more suspicious and increases the risk of unintended credential provisioning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The optional logging functions persist full request parameters and parsed response bodies to local log files under ~/.upkuajing/logs. If enabled, these logs can capture sensitive business data and potentially credentials or API-returned confidential content without redaction, retention limits, or user-facing disclosure, creating a local data exposure risk.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The version check sends the skill name to a remote endpoint without any visible user-facing disclosure in this module. Although the transmitted data appears limited, undisclosed telemetry is a privacy and trust issue, and in aggregate it can reveal tool usage patterns or installed capabilities.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
97% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
78% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
95% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
97% confidence
Finding
httpx>=0.23.0

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196