Back to skill

Security audit

Domain validity check, verify domain availability and DNS configuration for B2B lead qualification. Helps sales teams, marketers, and researchers validate company domains, check email server configuration, and improve outreach deliverability — essential for lead verification, email marketing, and contact data enrichment.

Security checks across malware telemetry and agentic risk

Overview

This domain-checking skill appears legitimate, but it also handles API keys, account/billing actions, and an automatic version check with local persistence.

Install only if you are comfortable using the UpKuaJing paid API, storing its API key in a local plaintext ~/.upkuajing/.env file, and allowing the skill to contact openapi.upkuajing.com for validation, account/pricing actions, top-up order creation, and update checks. Confirm fees before running paid checks or top-up commands, and consider using a scoped API key and restrictive file permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions even though its documented behavior requires environment variable access, reading and writing under ~/.upkuajing, and network access to remote APIs. This under-declaration weakens review and consent boundaries, making it easier for users or orchestrators to invoke a skill with broader capabilities than its manifest transparently communicates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The advertised purpose is limited to domain validity checks, but the skill also documents account management, pricing queries, balance checks, payment order creation, credential storage, and persistent local state. This mismatch is dangerous because users may authorize a seemingly narrow validation tool without realizing it can handle billing-related actions, store secrets, and interact with unrelated remote endpoints.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements API key issuance, account lookup, billing/recharge, and pricing operations, while the skill metadata claims it only checks domain validity, security, and sensitivity. This mismatch is dangerous because it can hide credential and payment-related behavior behind an unrelated manifest, reducing user scrutiny and expanding the effective privilege/scope of the skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code contains credential management (`new_key`), account information retrieval, recharge order creation, and pricing queries that are unjustified for a domain-validity checker. In this context, these capabilities increase risk because they expose secrets and financial/account actions where users would not reasonably expect them.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
This utility exposes a general outbound HTTP request capability plus local persistence primitives that go beyond the narrow manifest description of 'domain validity, security, and sensitivity status' checking. Even if intended for legitimate API use, the mismatch increases risk because a user or higher-level agent may unknowingly grant broader network and file-handling powers than expected.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code retrieves API credentials from environment variables and a local ~/.upkuajing/.env file, but this sensitive capability is not reflected in the skill description. In an agent setting, undeclared credential access is dangerous because it expands trust assumptions and can enable silent use of secrets the user did not expect this skill to consume.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill stores task metadata and results on local disk under task_data, which is an undeclared persistence capability relative to the manifest. Undisclosed local storage can retain sensitive domains, API outputs, or workflow state longer than users expect and may be accessible to other local processes or later runs.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The call to check_and_notify(API_BASE_URL) introduces an additional network interaction that is not obviously required for validating domains. Hidden or secondary network calls are risky in agent skills because they may leak usage metadata, create supply-chain exposure, or contact infrastructure outside the user’s expectation.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file adds version-checking, outbound network access, and persistent local state to a skill whose declared purpose is domain validity/security checking. That mismatch is security-relevant because it expands the skill's capabilities beyond user expectations and can enable undisclosed telemetry or remote influence over runtime behavior, even if framed as an update notice.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module performs an HTTP POST to a server endpoint unrelated to domain validation, creating unexpected outbound connectivity. In a skill context, this is dangerous because it increases attack surface, may leak metadata such as installed skill names, and allows a remote service to influence local user messaging about upgrades.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code writes version-tracking data under the user's home directory for a purpose unrelated to the advertised skill function. Undisclosed persistence is risky because it creates hidden state, can expose user/environment metadata, and makes the skill harder to audit and reason about from a least-privilege perspective.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: Guide user to apply at [Open Platform](https://developer.upkuajing.com/)
Wait for user selection;
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"""
    申请新的 API 密钥。
    """
    # 检查是否已存在 .env 文件和 API key
    env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
Confidence
83% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
95% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
90% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
80% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
80% confidence
Finding
require_auth=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196