Back to skill

Security audit

LinkedIn colleague query, find colleagues and team members by company ID and person ID from LinkedIn data. UpKuaJing helps recruiters, sales teams, and B2B lead builders discover team networks, map organizational relationships, and expand contact lists — perfect for network expansion, reference research, and account intelligence.

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid UpKuaJing LinkedIn lookup skill, but users should handle its local API key file and billing helpers carefully.

Install only if you trust UpKuaJing with the LinkedIn/company-person lookups you run and are comfortable with paid API usage. Prefer setting UPKUAJING_API_KEY through a secure environment or secret store, do not print ~/.upkuajing/.env in shared logs or chats, review any top-up payment URL before paying, and keep API logging disabled unless you intentionally want local request and response records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly involves reading environment variables, accessing local files under ~/.upkuajing, writing secrets to disk, and making network requests. This mismatch undermines least-privilege review and can cause an operator or agent to approve a skill without understanding that it handles credentials and performs external actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a simple LinkedIn colleague lookup, but the instructions also authorize account creation, API key management, balance checks, pricing lookups, payment-order creation, and remote version checks with local caching. That broader behavior increases the attack surface materially because a user invoking a data-query skill may unknowingly permit credential handling, billing actions, and extra network activity beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script exposes recharge-order creation and pricing enumeration features that are unrelated to the stated LinkedIn colleague-query purpose. This broadens the skill's operational scope into account and billing management, increasing the attack surface and enabling unintended financial actions if a user or agent invokes these commands.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill performs API key provisioning and writes credentials to local storage, which is materially broader than the manifest's stated purpose of querying colleague lists. Hidden credential-management behavior is risky because users may run a data-query skill without realizing it can create, store, and manage long-lived secrets on disk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This module introduces outbound network access and persistent local caching that are not necessary for the stated LinkedIn colleague-query function. Even though the code appears intended for benign update checking, hidden side-channel communications and filesystem writes expand the skill's attack surface, create an extra data egress path, and can surprise users or hosts that expect the skill to only query LinkedIn-related data. In this skill context, unrelated network behavior is more suspicious because the declared purpose is narrow and does not require self-updating or telemetry-like checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs reading the API key by displaying the contents of ~/.upkuajing/.env with cat, which can expose the full secret in terminal output, logs, chat transcripts, or to the calling agent. In this context, the danger is elevated because the file contains a live API credential and the instructions provide no masking, redaction, or safer retrieval method.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The request/response logging helpers write full request parameters and full API responses to disk in ~/.upkuajing/logs when enabled, with no redaction layer. In this skill context, those payloads can contain LinkedIn-derived personal data, internal identifiers, and other sensitive business data, so enabling logging can create a local data exposure surface beyond the API call itself.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
96% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
95% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
90% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
90% confidence
Finding
require_auth=False

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:60