Back to skill

Security audit

全球公司搜索,按名称、行业、产品与 URL 从全球公司数据库找公司。帮助出口商、销售团队与 B2B线索构建者发掘全球公司、研究目标市场、丰富企业画像数据——适合客户开发、市场调研、供应商寻源与跨国线索生成。

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed paid company-search integration, but it handles API credentials and local persistent state in ways users should review before installing.

Review this skill before installing if you are comfortable with a paid third-party company-data API storing its key in ~/.upkuajing/.env, creating recharge payment links when you approve, and returning business contact data. Do not let the agent print the API key; prefer checking whether the key exists, restrict the .env file permissions, and use returned contact data only in compliance with privacy, marketing, and anti-spam rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior includes reading environment variables, reading and writing files under the user's home directory, and making network calls to external APIs. This is dangerous because users and orchestration systems may grant trust based on the declared purpose while the skill performs additional sensitive operations that should be explicitly disclosed and permission-gated.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The published description says the skill searches a company database, but the documentation also instructs the agent to create API keys, inspect account information, create recharge orders, fetch pricing, and cache version data locally. That mismatch is risky because it expands from search into credential lifecycle and billing/account actions, increasing the chance of unauthorized financial or account-impacting operations under a misleadingly narrow description.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code introduces outbound network access to a remote endpoint solely to perform update/version checks, which is unrelated to the stated company-search function of the skill. Even if intended as routine maintenance, it expands the attack surface by enabling unsolicited network communication, leaking skill usage metadata, and creating a trust dependency on a server response outside the core business logic.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The module persists update-tracking data under the user's home directory, which is outside the documented purpose of the skill and creates undeclared local state. While the data stored here is limited, persistent writes can surprise users, leave forensic artifacts about skill execution, and combine with network update logic to create undisclosed telemetry/statefulness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly exposes search filters for phone, email, website, WhatsApp, social accounts, valid contact status, and whether core member contact information exists, but provides no privacy, consent, or acceptable-use warning. In a lead-generation and supplier discovery skill, this materially increases the risk of privacy-invasive prospecting, employee targeting, and misuse of personal or semi-personal business contact data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The field `person_contact_show` indicates the API may return an employee/core member contact detail, yet the reference omits any warning that this may expose personal contact information. Because the skill is designed to help users find target companies and potential partners, undocumented access to staff contact data is especially sensitive and can facilitate direct targeting, spam, or social-engineering against individuals.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically persists a newly issued API key to a local .env file without explicit confirmation, secure storage controls, or permission hardening. This increases the chance of credential exposure through local file disclosure, backup sync, accidental inclusion in archives, or other tools that load .env files automatically.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
84% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
94% confidence
Finding
httpx>=0.23.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196