Back to skill

Security audit

UpKuaJing global company employee query, access employee lists and job titles from the global company database by company ID. UpKuaJing helps recruiters, sales teams, and B2B lead builders discover company hierarchies, verify team structures, and enrich contact data — perfect for talent research, organizational analysis, and lead qualification.

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid UpKuaJing employee lookup helper with disclosed credential and billing setup behavior, though users should be careful with the local API key file.

Install only if you intend to use UpKuaJing's paid API. Keep ~/.upkuajing/.env private, do not paste the API key into chat, review any top-up URL before paying, and require explicit confirmation before each fee-incurring query or account action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly includes reading environment variables, reading and writing a local .env file, and making network requests. This under-declaration weakens user and platform visibility into what the skill can actually access, which can lead to unsafe execution in environments that rely on declared permissions for trust decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as an employee-list lookup tool, but it also includes account management, API key issuance, balance inspection, pricing queries, recharge order creation, and local caching/version-check behavior. This mismatch is dangerous because users may authorize or trust the skill for low-risk data lookup while it performs broader financial, credential, and state-changing operations outside its stated purpose.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements API key issuance, account/balance lookup, recharge order creation, and pricing queries, none of which are necessary for an employee-directory lookup skill. Expanding a skill's scope into credential lifecycle and billing increases attack surface and enables unintended actions involving accounts and payments if the skill is invoked or repurposed.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The CLI exposes recharge-order creation and pricing lookup functions that are unrelated to retrieving employee records. Payment-related capabilities are sensitive because they can trigger financial workflows or reveal billing details, and their presence in an unrelated skill suggests overprivileged, unnecessary functionality.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code can request a new API key and persist it locally, which exceeds the stated purpose of a company employee lookup skill. Credential provisioning inside a general-use skill is risky because it can silently expand access, create unmanaged secrets on disk, and blur trust boundaries between lookup functionality and account administration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The module performs outbound network requests to a version-check endpoint and writes persistent cache data unrelated to the advertised employee-query function. Even if intended for maintenance, this creates undeclared side effects, metadata leakage about installed skills/usage cadence, and expands the attack surface through remote connectivity and local state changes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code extends beyond the stated purpose of querying employee lists by implementing self-update checking, filesystem writes under the user's home directory, and remote communication with a service endpoint. In a skill ecosystem, this mismatch is security-relevant because users and reviewers may grant trust based on the manifest while hidden auxiliary behavior enables tracking, policy bypass, or future abuse if the endpoint or surrounding platform is compromised.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
88% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
95% confidence
Finding
httpx>=0.23.0

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:60