Back to skill

Security audit

支持海外公司个人教育经历查询,根据个人 ID 从全球公司数据库中获取教育经历,包括学校、学历、专业和 GPA信息。帮助招聘人员、人力资源团队和招聘经理验证教育背景、评估候选人资质,并做出更明智的招聘决策——适用于候选人筛选、背景验证和人才评估。

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed paid API lookup tool, but it also performs under-disclosed background version checks and handles persistent API credentials in ways users should review carefully.

Review this skill before installing in shared or enterprise environments. Only use it if you are comfortable with a paid third-party API, local plaintext storage of UPKUAJING_API_KEY, account/recharge helper commands, and an automatic version check to openapi.upkuajing.com that is not clearly disclosed in the main instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes capabilities beyond its apparent query purpose, including network access, reading credentials from local files, and writing API keys to disk, yet it declares no permissions. This creates a transparency and consent gap: an agent or user may authorize the skill for a simple lookup without understanding it can access secrets and modify local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is education-history lookup, but the skill also supports credential provisioning, account inspection, pricing queries, recharge order creation, and version checks. This mismatch increases the chance that an agent triggers sensitive or billable side effects under the guise of a simple data query, violating least surprise and informed consent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements authentication, API key issuance, account balance lookup, recharge order creation, and pricing queries, which materially exceed the declared skill purpose of querying education background data. This kind of scope mismatch is dangerous because it introduces billing and credential-management capabilities that a user would not reasonably expect from the advertised skill, increasing the risk of hidden monetization, abuse of accounts, or privilege expansion.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The CLI exposes recharge-order creation and pricing/account operations directly, which are not reasonably necessary for an education-profile lookup skill. In context, this makes the skill more dangerous because an operator may invoke financial/account functions under the assumption they are interacting only with a data-enrichment tool.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
This module performs outbound version-checking and local state caching that are unrelated to the stated skill purpose of querying people’s education background. That scope expansion creates an unnecessary network side effect and additional data flow, which increases attack surface and can violate least-privilege expectations for a seemingly read-focused enrichment skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code adds a self-update check capability by sending the skill name to a remote API and acting on the returned version information, despite this behavior not being necessary for personnel-profile lookup. Even though it does not auto-install updates, it still creates an unexpected control channel to external infrastructure and normalizes hidden network behavior unrelated to user intent.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The function initiates an automatic network request that transmits the skill name without any clear user-facing disclosure at the time of transmission. While the transmitted metadata is limited, undisclosed background communication can leak installed-skill information and erode user trust, especially in enterprise environments.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
98% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
98% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
84% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
86% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
95% confidence
Finding
httpx>=0.23.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196