Back to skill

Security audit

UpKuaJing LinkedIn person education query, access education history with schools, degrees, majors, and GPAs from LinkedIn data by person ID. UpKuaJing helps recruiters, HR teams, and hiring managers verify academic backgrounds, assess candidate qualifications, and make informed hiring decisions — perfect for candidate screening, background verification, and talent evaluation.

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a paid LinkedIn education lookup service, but it also handles plaintext API keys, account billing actions, and persistent local files in ways users should review carefully.

Install only if you are comfortable with a paid third-party service that queries LinkedIn-derived personal education data, stores an API key in a plaintext home-directory file, and can create account top-up orders. Use it with explicit user confirmation for paid calls, avoid shared machines, protect or delete ~/.upkuajing/.env when done, and ensure you have a lawful and authorized basis for any profile lookup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares only metadata/requires fields but omits an explicit permissions model despite instructing use of environment variables, local file reads/writes to ~/.upkuajing/.env, and remote API/network operations. This weakens informed consent and review because operators may believe the skill only performs a simple education lookup when it can also access credentials and persist data locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a narrowly scoped LinkedIn education query, but the skill also includes account provisioning, key persistence, account/balance retrieval, recharge order creation, pricing queries, and version/cache behavior. That mismatch is dangerous because users may invoke a seemingly read-only data lookup skill without expecting credential handling, payment-related actions, or additional remote/network activity.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements authentication provisioning, account inspection, and recharge-related operations that are unrelated to the declared skill purpose of querying LinkedIn education history. This kind of scope expansion increases the attack surface and can enable unauthorized account management or monetization flows from a skill that users would reasonably expect to be read-only.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The exposed CLI actions include account_info, new_rec_order, and price_info, which go beyond the stated behavior of returning education history. In a skill ecosystem, hidden or undeclared operational features are dangerous because they can trigger financial/account actions under the guise of a benign data lookup tool.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Creating recharge orders is a payment capability with direct financial implications, yet it is embedded in a skill whose stated purpose is data retrieval. If invoked unexpectedly or by a compromised workflow, it could initiate unwanted payment flows or facilitate abuse of the linked account.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads an API key from both process environment variables and a user home-directory ~/.upkuajing/.env file, which expands its access beyond the minimum needed for a simple education-history query. Even though it appears intended for normal configuration, reading from broad local sources increases exposure to locally stored secrets and violates least-privilege expectations for a narrowly scoped skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can persist API request data, response data, and task results to local disk, adding a storage capability not obviously required for a straightforward query skill. This creates unnecessary retention of potentially sensitive LinkedIn-derived personal data and expands the blast radius if the host is shared or later compromised.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module performs outbound network access and writes a persistent cache under the user's home directory even though the skill's declared purpose is only querying LinkedIn education history. This expands the skill's capabilities beyond user expectations, creates an undisclosed telemetry/update channel, and increases privacy and supply-chain risk if the configured API base URL is untrusted or later compromised.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file adds functionality unrelated to the advertised skill behavior by contacting a remote service, parsing version metadata, writing a cache file, and printing upgrade notices. Even if intended for maintenance, hidden side behavior undermines least surprise and can facilitate covert data egress or remote influence over the runtime environment through update messaging.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill is designed to retrieve another person's education history, which is personal profile data, yet it provides no privacy warning, lawful-use guidance, or restrictions on misuse. In this context, the absence of privacy safeguards increases the risk of profiling, unauthorized background checks, or collection of personal data without appropriate notice or justification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Request/response logging writes raw API parameters and responses to disk when enabled, and those values may contain sensitive personal data or account-related information. There is no user-facing disclosure, redaction, or access-control logic around these logs, so enabling the flag can silently create a privacy and data-exposure issue.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The version check transmits the skill name to a remote endpoint without any disclosure in this file or obvious user consent flow. Although the data is low sensitivity, undisclosed outbound transmission is still a privacy and trust concern, especially in a skill whose stated function does not require network communication for updates.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
84% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
API_BASE_URL = "https://openapi.upkuajing.com"
API_KEY_ENV = "UPKUAJING_API_KEY"
UPKUAJING_DIR = Path.home() / '.upkuajing'
UPKUAJING_ENV_FILE = UPKUAJING_DIR / '.env'
UPKUAJING_LOGS_DIR = UPKUAJING_DIR / 'logs'

# 日志开关
Confidence
91% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
def load_env_file() -> Dict[str, str]:
    """
    从 ~/.upkuajing/.env 文件加载环境变量。

    Returns:
        环境变量字典
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def get_api_key() -> str:
    """
    获取API密钥,优先从环境变量,其次从 ~/.upkuajing/.env 文件。
    """
    # 优先从环境变量获取
    api_key = os.environ.get(API_KEY_ENV)
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# 优先从环境变量获取
    api_key = os.environ.get(API_KEY_ENV)

    # 如果环境变量没有,尝试从 ~/.upkuajing/.env 读取
    if not api_key:
        env_vars = load_env_file()
        api_key = env_vars.get(API_KEY_ENV)
Confidence
90% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
93% confidence
Finding
httpx>=0.23.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:58