Back to skill

Security audit

手机号有效性校验,验证电话号码有效、无效、座机、手机、是否注册WhatsApp多种状态,帮助销售团队、招聘人员、贸易商、外贸从业者检查手机号真实性、减少无效联系人、提升客户触达效率——是 CRM 数据清洗、候选人筛查、供应商核验的必备工具,适用于外贸短信群发前清洗、招聘背调与采购商核实。

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed paid phone-validation API client with credential and billing helpers that fit its purpose, though users should understand the privacy and plaintext key-storage implications.

Before installing, confirm you are comfortable sending phone numbers to the upkuajing remote API, paying for API calls, and storing an API key in plaintext under ~/.upkuajing/.env. Use the recharge and new-key commands only after an explicit user decision, and avoid enabling request logging unless you can protect the resulting local logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior includes reading environment variables and local files, writing to ~/.upkuajing/.env, and making network requests to external services. This weakens user consent and sandbox policy enforcement because a caller may reasonably expect a simple phone-validation tool, not one that also accesses credentials and performs account-management operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is phone validation, but the skill also instructs the agent to request new API keys, store them locally, inspect account state, create recharge orders, fetch pricing, and cache remote version data. This capability expansion increases the attack surface and can lead to unanticipated credential handling, spending, and outbound communication beyond what users consented to for phone checking.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements account onboarding, account-info retrieval, recharge ordering, and pricing lookups, which materially exceed the stated purpose of a phone/WhatsApp validity-check skill. This capability mismatch is dangerous because users may invoke a seemingly low-risk validation skill that can actually create credentials and initiate billing-related actions against a remote service.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The recharge-order creation function enables payment-related side effects that are not justified by a phone-number validation workflow. In a skill presented as contact validation, hidden billing functionality increases the risk of unauthorized purchases, phishing-like redirection to payment URLs, or abuse of the user's linked account.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script can request a new API key and persist it locally even though that capability is not disclosed by the skill's stated function. Hidden credential lifecycle operations expand the trust boundary and may leave long-lived secrets on disk where users did not expect them.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This module performs outbound version-check requests and writes persistent cache data under the user's home directory, which is unrelated to the stated phone/WhatsApp validation purpose of the skill. Even if intended for update notifications, this creates hidden side effects: it leaks skill usage metadata to a remote service and modifies local state without the user's explicit consent, expanding the trust boundary and attack surface.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes sending phone numbers and a bearer token but does not warn that both are sensitive data requiring careful handling. In this skill’s context, bulk phone validation for sales/outreach increases privacy risk because users may transmit personal contact data to a third-party service without clear notice about consent, storage, logging, or secure transport expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes a newly created API key into a local .env file without a prior user-facing warning about secret persistence or file-system side effects. This can expose credentials through backups, permissive file permissions, accidental commits, or other local disclosure channels.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script sends authentication-related requests to remote endpoints without user-facing disclosure that account-associated data and system context may be transmitted. In a skill marketed for phone validation, undisclosed remote auth flows increase the chance that users expose account state or bootstrap third-party service access unintentionally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The request/response logging functions can persist full API parameters and responses to local log files, which may include phone numbers, validation results, or account-related data. Although logging is currently disabled by default, enabling it would create a plaintext local data trail without minimization, redaction, retention limits, or user-facing disclosure at the write points.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends phone numbers to a remote endpoint for validation, but its CLI interface and help text do not clearly disclose that user-supplied numbers will be transmitted off-host to an external service. Because phone numbers are personal contact data and may be sensitive business/customer information in the stated outbound-sales context, this creates a real privacy and compliance risk through uninformed data sharing.

Credential Access

High
Category
Privilege Escalation
Content
### **未设置API密钥**
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
请先检查 `~/.upkuajing/.env` 文件是否有 UPKUAJING_API_KEY;
如果未设置 UPKUAJING_API_KEY API密钥,请提示并让用户选择:
1. 用户有,由用户提供(手动添加到 ~/.upkuajing/.env 文件)
2. 用户没有,你可使用接口进行申请(`auth.py --new_key`),申请到新密钥后,会自动保存到 ~/.upkuajing/.env
等待用户选择;

### **账户充值**
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
env_file = UPKUAJING_ENV_FILE

    if env_file.exists():
        # 读取现有的 .env 文件
        try:
            with open(env_file, 'r', encoding='utf-8') as f:
                content = f.read()
Confidence
65% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
90% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
91% confidence
Finding
httpx>=0.23.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
73% confidence
Finding
auth=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
pass  # 如果读取失败,继续执行

    # 不需要认证申请新密钥
    response = make_request('/agent/auth/create', {}, require_auth=False)

    # 检查是否申请成功
    if response.get('code') != 0:
Confidence
73% confidence
Finding
require_auth=False

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:196