Back to skill

Security audit

LinkedIn 同事查询工具,通过企业ID和人员ID在LinkedIn数据中查找同事和团队成员。帮助招聘人员、销售团队和B2B拓客人员发现团队网络、梳理组织关系、扩展联系人列表 — 适合人脉扩展、背景调查和客户情报分析。

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate paid UpKuaJing LinkedIn colleague lookup skill, with disclosed API-key and billing support, but users should treat its local credential file carefully.

Install only if you intend to use the paid UpKuaJing API for LinkedIn-derived colleague data. Protect ~/.upkuajing/.env like a password file, avoid committing or sharing it, confirm fees before running queries or creating top-up orders, and be aware that the scripts may check for skill updates and store a local cache under ~/.upkuajing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no explicit permissions while instructing use of environment variables, local file reads/writes to ~/.upkuajing/.env, and network/API access. This creates a transparency and consent problem: an agent or user may assume the skill is low-risk while it actually has broader capabilities, including credential handling and persistent local state changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The advertised function is a colleague lookup, but the skill also covers API key creation, account inspection, recharge ordering, price queries, and version-cache behavior. This mismatch is dangerous because it expands the operational and financial attack surface beyond user expectations, enabling credential lifecycle actions and billable account operations under a seemingly simple data-query skill.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements API key issuance, account lookup, recharge order creation, and pricing queries for an unrelated third-party platform, which materially exceeds the stated purpose of a LinkedIn colleague lookup skill. This scope mismatch is dangerous because users or orchestrators may invoke the skill expecting limited read-only LinkedIn functionality, while the bundled code can initiate billing-related actions and manage credentials.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The CLI exposes recharge-order creation and pricing operations that are not proportional to the advertised purpose of querying colleague data. In an agent environment, hidden monetization or billing actions increase the risk of unauthorized financial operations, especially when users assume the skill is informational and low-risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module docstring identifies the code as cross-border platform authentication management rather than LinkedIn colleague retrieval, indicating deceptive or at least materially misleading packaging. Mislabeling reduces operator awareness and can cause unsafe trust decisions, making other risky behaviors in the file more dangerous in context.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This module introduces outbound network access and persistent local file writes for version checking, which are unrelated to the skill’s stated LinkedIn colleague-query functionality. Even if intended for maintenance, this expands the skill’s privilege surface and creates undisclosed telemetry behavior that could be abused if the API base URL is attacker-controlled or if users do not expect side-effecting network activity.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The version check posts the skill name to a remote API without any disclosure in this file or obvious user consent mechanism. While the data sent is limited, this is still undisclosed outbound metadata transmission and can violate privacy or policy expectations, especially in a skill whose declared purpose is only LinkedIn data retrieval.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
97% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
97% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
except IOError as e:
        return {
            "success": False,
            "message": f"API密钥申请成功,但保存到 .env 文件失败:{str(e)}。\n请手动设置环境变量 {API_KEY_ENV}。",
            "envFilePath": str(env_file)
        }
Confidence
84% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
93% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
87% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
87% confidence
Finding
require_auth=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:60