Back to skill

Security audit

UpKuaJing LinkedIn person work experience query, access employment history with company names, job titles, and dates from LinkedIn data by person ID. UpKuaJing helps recruiters, hiring managers, and sales teams verify career histories, assess professional experience, and qualify candidates — perfect for candidate screening, background checks, and talent acquisition.

Security checks across malware telemetry and agentic risk

Overview

This is a paid UpKuaJing LinkedIn work-history lookup skill with disclosed API key, pricing, and top-up helpers, but users should understand the plaintext key storage and paid API behavior before installing.

Install only if you are comfortable sending person IDs to UpKuaJing's paid API and storing the API key in ~/.upkuajing/.env. Review fee prompts carefully, do not let an agent run billable queries without your explicit approval, and protect or remove the local .env file when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior requires reading environment variables, reading and writing files under ~/.upkuajing, and making network requests. This hidden capability expansion weakens user understanding and policy enforcement, increasing the risk that sensitive operations occur without informed consent or proper sandboxing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a simple LinkedIn work-experience query tool, but the documentation reveals additional behaviors including API key application/storage, account inspection, payment order creation, pricing queries, and local version-cache activity. This mismatch is dangerous because users may authorize a low-risk data lookup tool without realizing it can touch credentials, billing flows, and local state.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The file implements account management, API key provisioning, balance lookup, recharge order creation, and pricing operations that materially exceed the stated purpose of a read-only LinkedIn work-experience query skill. In agent ecosystems, scope expansion is dangerous because it introduces billing and credential-management capabilities a user would not reasonably expect, increasing the chance of unauthorized charges, data exposure, or misuse if invoked by an agent or wrapper unexpectedly.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Creating recharge/payment orders is a financial capability unrelated to the declared data-query function of the skill. In a user-facing or agent-triggered context, such hidden billing functionality can enable unauthorized purchase flows or social-engineering style abuse, especially when users expect only a read-only LinkedIn experience lookup.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill provisions a platform API key and persists it locally in a .env file, which is outside the declared purpose of querying work history. Embedding credential lifecycle management in an unrelated skill broadens attack surface and can expose secrets through local filesystem access, accidental inclusion in logs, backups, or repository uploads.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This module adds outbound network access and persistent local cache writes that are unrelated to the skill’s declared purpose of querying LinkedIn work history. Even if intended for maintenance, hidden side-effecting behavior expands the trust boundary, can leak environment-derived metadata such as installed skill names and usage timing, and creates an unexpected execution path users did not request.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A self-update/version-check feature inside a data-query skill is not justified by the stated functionality and introduces unsolicited communication with a remote service. This can be abused for tracking, silent behavior changes, or supply-chain style trust expansion because the skill establishes an updater-like control channel outside its core business logic.

Credential Access

High
Category
Privilege Escalation
Content
### **API Key Not Set**
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
First check if the `~/.upkuajing/.env` file has UPKUAJING_API_KEY;
If UPKUAJING_API_KEY is not set, prompt the user to choose:
1. User has one: User provides it (manually add to ~/.upkuajing/.env file)
2. User doesn't have one: You can apply using the interface (`auth.py --new_key`), the new key will be automatically saved to ~/.upkuajing/.env
Wait for user selection;

### **Account Top-up**
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
86% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
90% confidence
Finding
httpx>=0.23.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:61