Back to skill

Security audit

LinkedIn 校友查询工具,通过企业ID和人员ID在LinkedIn数据中查找校友关联。帮助招聘人员、销售团队和B2B拓客人员发现校友网络、追踪教育背景关联,扩展联系人列表 — 适合人才搜寻、校友网络研究和潜客开发。

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed paid UpKuaJing LinkedIn alumni lookup helper, but users should understand its API-key, billing, and local plaintext storage behavior before installing.

Install only if you are comfortable using UpKuaJing's paid API, letting the skill contact UpKuaJing services, and storing the API key in ~/.upkuajing/.env as plaintext. Confirm costs before queries or top-up actions, and consider using a dedicated API key you can revoke.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares only metadata requirements but omits explicit permissions while instructing the agent to read local credential files, write API keys to ~/.upkuajing/.env, and make network requests. This hidden capability expansion increases the chance that a user or platform will authorize behavior they did not reasonably expect from an alumni lookup skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a LinkedIn alumni query, but the skill also performs account lifecycle and billing actions: reading/writing credentials, issuing new API keys, retrieving account info, checking pricing, and creating recharge orders with payment URLs. That mismatch is dangerous because it broadens the operational scope into sensitive credential and payment workflows that users may not anticipate when invoking a data-query skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements an authentication and account-management workflow for a third-party platform, which materially diverges from the declared purpose of a LinkedIn alumni lookup skill. Capability mismatch is dangerous because users or orchestrators may grant trust, permissions, or execution based on the advertised skill purpose while the code performs unrelated credential and billing operations.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script exposes recharge-order creation, account information retrieval, and pricing queries, which are unrelated to alumni search and can trigger financial or account-management side effects. In a skill expected only to query LinkedIn alumni data, these extra capabilities increase the attack surface and create risk of unauthorized purchases, account enumeration, or misuse of a linked billing account.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can request a new API key and persist it locally, which exceeds the declared read/query purpose of the skill. Unscoped credential issuance and storage inside an unrelated skill make secret lifecycle harder to audit and may let an unexpected execution path provision reusable access credentials.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This module performs outbound network communication and writes persistent data under the user's home directory even though the skill's declared purpose is querying LinkedIn alumni data. That creates undeclared telemetry and local state side effects, which expand the trust boundary and can leak usage metadata or enable tracking if the configured API base URL is untrusted or compromised.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code contains self-update/version-check logic that is unrelated to the alumni-list query function, causing hidden network behavior during normal operation. Even though it only appears to fetch version metadata, this still sends skill-identifying information to a remote service and introduces an unnecessary communication channel that could be abused for telemetry or future update-driven behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When API logging is enabled, the code writes full request parameters and full response bodies to local log files under the user's home directory. Those payloads may contain personal data, search criteria, identifiers, or even secrets returned by the API, and the logging happens without any consent prompt, sanitization, retention policy, or file-permission hardening.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"""
    申请新的 API 密钥。
    """
    # 检查是否已存在 .env 文件和 API key
    env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
Confidence
85% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
93% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
94% confidence
Finding
httpx>=0.23.0

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:61