Back to skill

Security audit

支持海外公司同事查询 / 同事团队挖掘,按公司 ID + 人员 ID从全球企业数据库一键找出其公司同事。帮助招聘人员、销售团队、B2B线索构建者、批量寻找潜在联系人——适合关系网拓展、人才背调调研、客户内部决策圈摸排,常用于找到关键人后挖出更多对接人与决策人。

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real paid colleague-lookup API skill, but it also handles local API keys and billing/account helper actions in ways users should review before installing.

Install only if you intend to use this provider's paid API and are comfortable with the skill reading and writing UPKUAJING_API_KEY in ~/.upkuajing/.env. Do not let the agent print or share the contents of that file, review any recharge or account command before running it, and confirm paid lookup calls only when you understand they may consume account balance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes effective capabilities to read environment data, access local files, write credentials, and make network requests without declaring those permissions up front. That mismatch reduces transparency and can cause an agent or user to authorize a seemingly simple lookup skill that can also touch secrets and perform side-effectful actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is colleague lookup, but the skill also instructs the agent to read local credential files, create new API keys, query account state, generate recharge orders, fetch pricing, and check/update version state. This broadens the trust boundary significantly and creates opportunities for credential handling, billing side effects, and unintended data exposure beyond what a user would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes account management and payment-order creation instructions even though its stated purpose is colleague discovery. In context, that makes the skill more dangerous because a user seeking contact-network data could be funneled into billing or account actions they did not intend to authorize.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements authentication, API-key issuance, billing, recharge, and pricing operations, which do not match the declared purpose of a colleague-discovery skill. Capability mismatch is dangerous because it expands the skill’s privileges and creates an unexpected path for account and payment actions that users would not reasonably expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Creating recharge orders is unrelated to colleague lookup and introduces payment functionality into a data-discovery skill. This increases risk of unauthorized or unexpected financial actions, especially when bundled into a skill whose purpose does not justify billing operations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Account balance, account identity, and pricing retrieval are platform-management functions unrelated to the advertised colleague-network use case. Exposing them here broadens access to sensitive account metadata and increases the chance of unintended disclosure or misuse.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The account information functions make network calls that return account identifiers and balances, but this file provides no user-facing disclosure or consent mechanism around that collection and display. While not a direct exploit by itself, it can expose sensitive account data unexpectedly in a skill whose main purpose is unrelated to account management.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The code sends the skill name to a remote API endpoint automatically, with no user-facing disclosure or consent mechanism visible in this file. Although the transmitted field is limited and low sensitivity, silent outbound telemetry expands the data exposure surface and can violate user expectations or policy in environments that restrict undisclosed network communication.

Ssd 3

High
Confidence
98% confidence
Finding
The documentation tells the agent to inspect and potentially reveal contents of the local API key file using a direct file-read command. In this context, that is especially dangerous because the file contains a live secret, and exposing or echoing it would compromise the user's account and enable unauthorized API usage and charges.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
except IOError as e:
        return {
            "success": False,
            "message": f"API密钥申请成功,但保存到 .env 文件失败:{str(e)}。\n请手动设置环境变量 {API_KEY_ENV}。",
            "envFilePath": str(env_file)
        }
Confidence
84% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
93% confidence
Finding
httpx>=0.23.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196