Back to skill

Security audit

LinkedIn 人员工作经历查询,按人员 ID 从 LinkedIn数据获取含公司名称、职位与起止日期的就业经历。帮助招聘人员、用人经理与销售团队核验职业履历、评估专业经验、筛选候选人——适合候选人筛选、背景调查与人才获取。

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised LinkedIn work-history lookup, but it also handles API-key creation/storage, account billing actions, and an under-disclosed version check.

Install only if you trust the Upkuajing API provider and are comfortable with the agent reading and writing ~/.upkuajing files, storing an API key in plaintext, checking account balance/pricing, creating recharge orders when directed, and making an automatic version-check request. VirusTotal telemetry was clean and I did not find destructive code, but the account and persistence surface warrants review before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly requires network access, reading environment variables and local files, and writing to ~/.upkuajing/.env and cache/log directories. This creates a transparency and consent problem: operators may invoke a seemingly simple LinkedIn lookup skill without understanding it can access local secrets, modify filesystem state, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The advertised purpose is limited to retrieving LinkedIn work experience, but the skill also instructs the agent to read local credential files, create and store API keys, inspect account state, create recharge orders, check pricing, and maintain local cache/log/version files. That behavior expansion is security-relevant because it mixes simple data retrieval with credential lifecycle management, billing actions, persistence, and additional network communication that users may not reasonably expect.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The script implements account registration, billing, recharge, and pricing functions that are outside the declared purpose of a LinkedIn experience lookup skill. This kind of scope mismatch increases supply-chain risk because users may execute unrelated account-management operations they did not expect when installing a data-retrieval skill.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
Creating recharge orders is a financial operation unrelated to the stated business purpose of retrieving employment history. If exposed through an agent workflow, it could trigger unauthorized purchases or social-engineering-style misuse under the guise of a harmless lookup skill.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code can request a new API key and persist it locally, which exceeds the minimum privilege expected for a profile lookup skill. That broad capability can expand the blast radius by provisioning credentials on disk that may later be abused by other local processes or users.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Account balance and pricing queries are not directly required to retrieve LinkedIn employment history and indicate overbroad functionality. While less severe than payment creation, they expose extra business/account metadata and can normalize unnecessary access in a narrowly described skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module performs outbound network access to a remote version API and writes persistent state under the user's home directory, but this behavior is unrelated to the stated LinkedIn experience retrieval/analysis purpose of the skill. That creates an unnecessary side effect and privacy/supply-chain surface: simply using the skill can disclose installed skill metadata and modify local state without clear user consent or a functional need tied to the advertised capability.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code adds a self-update check capability that is outside the business purpose described for the skill. Even though it does not directly download or execute updates, hidden update-related telemetry and remote dependency behavior increase attack surface and can be abused if the API base URL or backend is compromised.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The HTTP request sends the skill name to a remote service without any explicit user-facing notice in this module. While the data sent is limited, the undisclosed transmission can reveal installed capabilities or usage context and is unnecessary for the advertised LinkedIn analysis function.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
95% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
94% confidence
Finding
httpx>=0.23.0

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196