Back to skill

Security audit

支持海外公司人员教育背景查询,按人员 ID 从全球公司数据库获取含院校、学位、专业与绩点的教育经历。帮助招聘人员、HR团队与用人经理核验学历背景、评估候选人资质、做出明智招聘决策——适合候选人筛选、背景核验与人才评估。

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised paid work-history lookup, but it also includes account, credential, recharge, and automatic version-check behavior that users should review carefully before installing.

Install only if you are comfortable with this skill reading and writing a local UPKUAJING API key, contacting openapi.upkuajing.com, making paid API calls after confirmation, and offering account/recharge actions. Review recharge and key-generation prompts carefully, and prefer setting the API key yourself through a secure secret mechanism where available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions, yet its instructions clearly require reading environment variables, accessing local files under ~/.upkuajing, writing credentials, and making network requests. This creates an under-declared capability surface that can mislead users or orchestrators about what the skill will actually do, increasing the risk of unintended credential access or side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is person work-history lookup, but the documented behavior extends into credential provisioning, account inspection, billing, payment-order creation, and local state writes. This scope expansion is dangerous because a user invoking a data-enrichment skill may unknowingly authorize account or financial actions that are unrelated to the core purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
A skill presented as a background-information lookup tool also instructs the agent to apply for API keys, inspect account status, and create recharge flows. Mixing identity, account, and billing operations into a lookup skill increases the chance of overreach and can lead to actions users did not expect when requesting simple data retrieval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly supports creating recharge orders and sending payment URLs, which introduces a financial-action pathway unrelated to the stated purpose of querying employment history. In context, this is more dangerous because the skill is framed as benign sales-intelligence enrichment, making users less likely to anticipate payment-related side effects.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation allows the skill to request new API keys and store them locally, which exceeds the advertised responsibility of retrieving a person's work history. Credential lifecycle operations are sensitive and should not be bundled into a lookup skill because they expand trust requirements and create opportunities for unauthorized persistence of secrets.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The document's framing emphasizes work-experience lookup, while later sections broaden behavior into authentication, recharge, and account management. Although this is primarily a transparency and design issue rather than an overt exploit, it weakens informed consent and makes misuse or accidental overreach more likely.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script implements account management capabilities such as API key issuance, balance lookup, recharge order creation, and pricing queries that are outside the declared purpose of a people-experience enrichment skill. This scope expansion increases attack surface and can enable financial or account operations from a skill that users may reasonably expect to only perform profile lookups.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Creating recharge orders is a financial/account operation unrelated to the skill's stated business purpose of retrieving employment history. In a mismatched skill context, hidden payment initiation functionality is risky because it can surprise operators, be abused in chained workflows, or facilitate unauthorized spending if exposed through automation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module performs outbound network access and writes a persistent cache file under the user's home directory to support version checking, which is unrelated to the stated person-profile enrichment purpose of the skill. Even if intended for maintenance, this creates undisclosed telemetry and filesystem side effects that can leak usage metadata and expand the skill's attack surface if the endpoint or configuration is compromised.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The presence of self-update/version telemetry capability in a skill whose business purpose is contact and employment-history lookup is a scope mismatch. Such hidden maintenance behavior can reveal when and where the skill is used, and introduces unnecessary external communication channels that are attractive for abuse or future feature creep.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
84% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
except IOError as e:
        return {
            "success": False,
            "message": f"API密钥申请成功,但保存到 .env 文件失败:{str(e)}。\n请手动设置环境变量 {API_KEY_ENV}。",
            "envFilePath": str(env_file)
        }
Confidence
81% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
91% confidence
Finding
httpx>=0.23.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196