Back to skill

Security audit

UpKuaJing LinkedIn company employee query, access employee lists and job titles from LinkedIn data by company ID. UpKuaJing helps recruiters, sales teams, and B2B lead builders discover company hierarchies, verify team structures, and enrich contact data — perfect for talent research, organizational analysis, and lead qualification.

Security checks across malware telemetry and agentic risk

Overview

This paid UpKuaJing employee-lookup skill is broadly disclosed and purpose-aligned, but it stores an API key locally and includes account, billing, and version-check helpers users should treat carefully.

Install only if you intend to use UpKuaJing's paid API. Review fee prompts carefully, avoid running key-creation or top-up commands unless you requested them, and protect ~/.upkuajing/.env because it stores the API key in plaintext.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares only environment requirements in metadata, but the documented behavior includes reading and writing local files under ~/.upkuajing and making network calls to external APIs. This mismatch reduces transparency and prevents users or platforms from accurately assessing what the skill can access before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as an employee-list query tool, but the instructions also enable account creation, balance lookup, pricing retrieval, payment order creation, and local credential/cache persistence. That expands the trust boundary from a read-only data query into credential management and billing operations, increasing the chance of unintended charges, account misuse, or sensitive data exposure.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements credential issuance, account lookup, recharge-order creation, and pricing/billing operations even though the skill is described as a LinkedIn employee-list query tool. That scope mismatch increases supply-chain risk because installing or invoking the skill grants capabilities unrelated to the stated business purpose, including account and payment actions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The CLI exposes account_info, new_rec_order, and price_info operations that enable billing and account-management behavior unrelated to employee retrieval. In the context of a data-query skill, these extra capabilities are dangerous because they can surprise users, expand attack surface, and enable unauthorized financial or account actions if the skill is invoked indirectly.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The new_key flow can create and persist a fresh API key, which is a credential-management capability not justified by the employee-query use case. Issuing credentials from within a broadly distributed skill increases the chance of unauthorized account creation, secret sprawl, and abuse of the upstream service.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module performs outbound network communication and local version-tracking that are unrelated to the skill’s stated purpose of querying LinkedIn employee data. Even if intended for maintenance, it creates an additional telemetry/update-check channel that can disclose skill usage metadata and expands the attack surface through unsolicited external requests.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code implements a self-update/version telemetry capability by posting the skill name to an external API and caching check results locally, which is not justified by the advertised employee-query functionality. Such hidden maintenance channels can leak operational metadata, surprise users, and be repurposed for tracking or control if the API base URL or upstream service is compromised.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"""
    申请新的 API 密钥。
    """
    # 检查是否已存在 .env 文件和 API key
    env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
Confidence
83% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
91% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
90% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
90% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
90% confidence
Finding
require_auth=False

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:60