Back to skill

Security audit

UpKuaJing global company school detail query, access detailed school information including name, type, location, and social media URLs from the global company database. UpKuaJing helps recruiters, researchers, and analysts verify educational institutions, research academic networks, and enrich institutional data — perfect for education verification, institution research, and academic network analysis.

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised lookup, but it also includes account, billing, credential creation, local secret storage, and version-check behavior that is broader than a school-detail query.

Install only if you are comfortable with this skill managing an UpKuaJing API key on disk and exposing account or billing-related commands. Prefer configuring credentials through a trusted secret manager, avoid using the recharge/order functions unless you explicitly intend them, and review the local ~/.upkuajing files it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions, yet its documented behavior includes reading environment variables, accessing local files under ~/.upkuajing, writing credentials to disk, and making network requests. This creates a transparency and consent problem: users or hosting platforms may not realize the skill can access secrets and perform external actions beyond a simple lookup.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a school-detail lookup, but its instructions also cover API key provisioning, credential persistence, account/balance inspection, payment order creation, pricing queries, and local caching/version-check activity. That mismatch broadens the attack surface and increases the chance a user or agent invokes sensitive account or billing operations without understanding the full scope.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements API key provisioning, account lookup, recharge order creation, and pricing queries even though the declared skill is only for querying school details. This capability expansion increases the attack surface by enabling credential lifecycle and billing actions that are unnecessary for the stated function and could be abused if the skill is invoked unexpectedly or bundled into an agent workflow.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The CLI exposes account-management and billing operations such as recharge order creation and price/account queries that are unrelated to a school-detail lookup skill. In an agent ecosystem, these extra actions can be triggered accidentally or by prompt manipulation, causing unauthorized financial or account-side effects.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can request a new API credential and persist it locally, which exceeds the stated purpose of a school-detail lookup skill. Embedding credential issuance into a general-use skill risks silent key sprawl, misuse of newly created credentials, and unauthorized persistence of secrets on disk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is querying school details, but this module performs unrelated outbound network requests to a version API and writes persistent state under the user’s home directory. Even if intended for update notification, this expands the trust boundary, creates an unexpected telemetry/update-check channel, and introduces side effects not necessary for the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file implements self-version tracking and remote update discovery across much of the module, which is not justified by a school-detail retrieval skill. This kind of auxiliary capability is risky because it enables hidden network activity and local persistence that could be repurposed for tracking, environment probing, or future update-driven abuse if the remote endpoint is compromised.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
80% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
96% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
90% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
88% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
88% confidence
Finding
require_auth=False

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:60