Back to skill

Security audit

LinkedIn 人员搜索,按姓名、公司、职位与行业从 LinkedIn 数据找人。帮助招聘人员、销售团队与 B2B 线索构建者发掘 LinkedIn档案、寻源候选人、丰富联系数据——适合人才获取、猎头、候选人筛选与国际线索生成。

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid LinkedIn people-search skill with expected API-key, billing, network, and local result-storage behavior, though users should treat the stored credentials and search results carefully.

Install only if you are comfortable using a paid third-party people-search API. Keep ~/.upkuajing/.env private, avoid enabling request/response logging unless needed, delete local task_data outputs when no longer needed, and make sure any LinkedIn/contact searches comply with your legal, privacy, and outreach obligations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its instructions clearly require network access, reading and writing local files, and accessing environment-stored secrets. This creates a transparency and consent problem: a user or runtime may authorize the skill under a narrower trust model than its real behavior, increasing the chance of unintended secret access or file modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The published description frames the skill as a LinkedIn person search tool, but the body also instructs the agent to manage API keys, read and write ~/.upkuajing/.env, inspect account status and pricing, create recharge orders, perform version-check network calls, and persist task metadata locally. That gap can mislead users about the scope of actions and sensitive data handling, causing overbroad trust and unexpected billing, credential, or privacy exposure.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements API key issuance, account inspection, and payment-related functionality even though the skill is described as a LinkedIn person search capability. This mismatch expands the trust boundary and introduces billing and credential-handling behavior that users would not reasonably expect from the declared skill, increasing the risk of abuse or deceptive data collection.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Creating recharge orders and returning payment URLs is unrelated to searching for LinkedIn contacts and introduces financial workflow behavior into a skill that appears informational. In a skill marketplace or agent environment, this kind of hidden monetization path can mislead users and could be abused for unauthorized charges, phishing-style payment redirection, or undisclosed commercial activity.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code exposes account balance and API pricing retrieval without a clear relationship to the advertised people-search task. While not inherently exploit code, this unnecessarily broadens accessible business-sensitive information and may aid account enumeration, billing intelligence gathering, or social engineering if exposed through an agent interface.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API reference explicitly supports filtering for and returning personal contactability indicators such as phone, WhatsApp, email, website, social presence, gender, and related counts without any stated privacy restrictions, lawful-basis requirements, or usage safeguards. In a lead-generation and recruiting context, this materially increases the risk of privacy abuse, mass profiling, unsolicited outreach, and non-compliant processing of personal data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code can persist full API request parameters and response bodies to local log files when logging is enabled, and there is no redaction, consent prompt, or retention control. In a people-search skill, those payloads may contain personal data, search criteria, or account-related information, so local storage increases privacy and secondary disclosure risk if the workstation or home directory is accessed by another process or user.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
83% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
93% confidence
Finding
httpx>=0.23.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196