Back to skill

Security audit

UpKuaJing email marketing tool, send personalized emails and track campaign performance with real-time delivery status. UpKuaJing helps exporters, marketers, and sales teams reach decision-makers, manage email tasks, and analyze open/click rates — powerful for cold outreach, product promotion, and customer engagement.

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed UpKuaJing email API helper with expected credential, billing, and network behavior for that purpose, though users should be careful with paid sends and local API key storage.

Install only if you intend to use UpKuaJing's paid email API. Confirm every paid email send or top-up action, protect the API key stored in ~/.upkuajing/.env if you use file storage, and leave API logging disabled unless you are comfortable with request and response payloads being written locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions while its documented behavior requires access to environment variables, local files, and network endpoints. This mismatch weakens transparency and consent, making it easier for a user or host agent to invoke credential, filesystem, or outbound network actions without clear prior disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as an email sending/status tool, but the documentation indicates additional behaviors including credential creation/storage, account and balance retrieval, recharge order creation, and version checking with local caching. Hidden or under-described behaviors are dangerous because they expand the trust boundary to payments, credential handling, and filesystem persistence beyond the user's likely expectations.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements authentication management, API key issuance, and recharge-related functionality even though the declared skill scope is an email tool for sending emails and tracking tasks. Scope expansion is dangerous because it increases the reachable attack surface and can expose users to unexpected credential and billing operations not implied by the manifest.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Creating recharge or payment orders is materially outside an email-only tool's stated functionality and introduces financial operations into a context where users may not expect them. This raises the risk of unauthorized or confusing billing actions and makes abuse more impactful than ordinary email-task management.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code requests and stores new API keys even though the manifest only describes email sending and task tracking. Undeclared credential lifecycle functionality broadens trust assumptions and can enable silent credential provisioning that operators or users did not authorize as part of the skill's advertised purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Billing capability is unjustified by the stated email-tool purpose and creates direct financial risk. In skill ecosystems, hidden or weakly disclosed payment functionality is especially dangerous because it can be triggered in an automation context where users expect only messaging operations.

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
When ENABLE_API_LOGGING is enabled, the code writes full request parameters and full API responses to ~/.upkuajing/logs without any redaction. For an email tool, those payloads may contain recipient addresses, message content, task identifiers, and other sensitive business data, creating a local data exposure risk if logs are accessed by other users, backups, or support tooling.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The code performs an outbound version-check request and transmits the skill name to a remote API without any user-facing disclosure or opt-in in this file. While the data sent is limited, this still creates an undisclosed network side effect and can leak usage metadata about installed skills or invocation timing to the service operator.

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
87% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.23.0
Confidence
95% confidence
Finding
httpx>=0.23.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/common.py:197

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/mail_send.py:31

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/mail_task_list.py:29

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/mail_task_record_list.py:30

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:121