Back to skill

Security audit

Email validity check, verify email address format, domain, and deliverability for B2B lead qualification. Helps sales teams, recruiters, and marketers validate email addresses, reduce bounces, and improve campaign performance — essential for cold outreach, lead verification, and CRM data cleaning.

Security checks across malware telemetry and agentic risk

Overview

This is a paid, API-backed email validation skill whose main behavior is disclosed, but users should understand its API-key storage, billing support, and automatic version-check behavior before installing.

Install only if you are comfortable sending email addresses to UPKUAJING's remote API and paying per validation. Use a scoped API key, avoid committing ~/.upkuajing/.env, review any top-up/payment URL manually before paying, and be aware the scripts may create a local version-cache file and perform a daily version check.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares only a simple email-validation purpose, but its documented behavior requires environment access, local file reads/writes, and network operations without explicitly declaring those permissions. This creates a transparency and least-privilege problem: operators may approve a seemingly low-risk skill without understanding it can access credentials, modify local state, and make external requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as an email validity checker, but the documentation shows additional behaviors including credential handling, account/balance retrieval, payment order creation, pricing queries, and version-check caching. This mismatch is dangerous because it hides financially sensitive and state-changing operations behind a narrow description, increasing the chance of overbroad user trust and unintended execution of billing or account-management actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements cross-border platform authentication, account lookup, pricing, and recharge functionality that is unrelated to the declared email-validity skill purpose. This mismatch is dangerous because users or orchestrators may invoke the skill expecting harmless email verification, while the code can perform sensitive account-management and billing-adjacent operations against a remote service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code exposes a recharge-order creation path that can trigger payment-related workflows despite the skill being presented as an email validation utility. In this context, hidden billing capability is especially risky because it expands financial attack surface and could be abused through unsuspecting invocation or confused-deputy behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script can provision a new API key and persist it locally to a .env file, which is a sensitive credential-management action unrelated to email validity checking. In the current skill context, this broadens the blast radius by creating and storing secrets on disk without a narrowly justified need.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Account-information and pricing queries are outside the stated purpose of checking email validity and disclose financial/account metadata through the skill interface. This capability mismatch increases risk because operators may grant trust to the skill based on its benign description while it accesses unrelated sensitive business information.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The module documentation describes authentication management for a cross-border platform, directly contradicting the declared email-validity purpose. This discrepancy is a strong signal of deceptive or mislabeled functionality, which undermines user consent and can conceal sensitive operations from review workflows.

Description-Behavior Mismatch

Medium
Confidence
77% confidence
Finding
The utility performs an additional outbound version-check call via check_and_notify() on every API request, which is behavior beyond the core email-validation transaction. Extra undisclosed network traffic can leak usage metadata, create privacy concerns, and enlarge the trust boundary to another remote endpoint or code path.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This module performs outbound network access to a remote version endpoint and writes persistent state under the user's home directory, behavior that is unrelated to the advertised email-validation purpose. In a skill context, hidden auxiliary behavior expands the attack surface, creates telemetry/privacy concerns, and could be abused to track usage or influence users via server-controlled update notices.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill includes self-update/version telemetry capability that sends the skill name to a server and conditionally acts on the response, despite this being unnecessary for validating email addresses. Even though the transmitted data is limited, undisclosed telemetry in a narrowly scoped skill violates least privilege and can enable monitoring of installations or future expansion into more invasive behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes an API key to a local .env file without an upfront, explicit warning before modifying user files. Silent persistence of credentials is risky because users may not realize secrets were stored on disk, where they can later be exposed through backups, source control mistakes, or local compromise.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code contacts remote authentication/account endpoints without clear user-facing disclosure at the point of action. In a skill mislabeled as email validation, undisclosed network interactions are more dangerous because users may not expect external account operations or data exchange with a third-party platform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
make_request sends caller-supplied params directly to an external API endpoint, and the same data may also be written to local logs when logging is enabled. In an email-validation skill, submitted email addresses are sensitive user data, so undisclosed transmission to a third party creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends user-supplied email addresses to a remote endpoint via make_request('/agent/validation/email', params) without any explicit user-facing notice, consent step, or data-handling warning. Email addresses are personal data in many contexts, so silent transmission to an external service creates privacy and compliance risk, especially if users assume validation is local.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: Guide user to apply at [Open Platform](https://developer.upkuajing.com/)
Wait for user selection;
Confidence
84% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
84% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
97% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
96% confidence
Finding
httpx>=0.23.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196