帮我跑腿

Security checks across malware telemetry and agentic risk

Overview

This delivery skill mostly matches its purpose, but it needs review because it can create paid courier orders without final confirmation and handles sensitive delivery, payment, credential, and location data with weak scoping.

Install only if you are comfortable with a skill handling real courier orders, phone/SMS registration, addresses, recipient phone numbers, payment links, and rider location. Before use, require the agent to show route, recipient, price, and payment implications and get an explicit final confirmation before creating or canceling any order. Avoid storing appSecret in config.json when possible, and be aware that IP lookup providers and a QR-code service may receive related metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documents and depends on environment access, local file reads/writes, and networked API calls, yet declares no permissions. This creates a transparency and governance gap: the agent may execute capabilities that users or policy systems were not clearly told about, including reading secrets from environment variables and writing persistent config files with credentials.

Scope Creep

Medium

Confidence: 95% confidence
Finding: The manifest says no environment requirements are needed, but the skill explicitly instructs use of UUPT_APP_ID, UUPT_APP_SECRET, and UUPT_OPEN_ID. That mismatch can bypass operator expectations and secret-management controls, because the skill behavior relies on undeclared credential sources.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill contacts multiple unrelated third-party IP-discovery services during registration and transmits the user's network metadata outside the primary UU跑腿 service. This unnecessarily expands data exposure, creates extra tracking surfaces, and allows unrelated providers to learn that a specific user is attempting to register for this delivery workflow.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill sends the payment URL to an unrelated external QR-code generation service and writes the returned image locally. Payment URLs often contain order identifiers, session tokens, or sensitive payment parameters, so disclosing them to a third party can enable tracking, payment-link leakage, or abuse if the URL is replayable.

Vague Triggers

High

Confidence: 96% confidence
Finding: The top-level description and intent examples are broad enough to trigger on generic words like '送', '取', '寄', '配送', or '买东西', which can appear in ordinary conversation unrelated to placing a UU跑腿 order. Over-broad routing can cause the agent to collect addresses, phone numbers, or initiate a commercial workflow when the user did not intend to use this third-party service.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger list matches many generic logistics-related keywords without constraints, making false activation likely. In this skill, false activation is especially risky because the downstream flow requests sensitive personal data and can lead to order creation and payment handling.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the agent to create an order immediately after pricing and '不询问用户是否确认', despite the action being transactional and potentially charge-incurring. This is a direct unsafe automation pattern that can cause unauthorized purchases, unwanted courier dispatches, exposure of recipient data to a third party, and payment obligations from an ambiguous or incomplete request.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script prints personally sensitive operational data to stdout, including the driver's phone number and live GPS coordinates, without any access-control check, masking, consent prompt, or warning about handling sensitive information. In a delivery-tracking context this data is legitimately available for order fulfillment, but exposing it in raw CLI output increases the risk of unauthorized disclosure through shell history, logs, screenshots, shared terminals, or downstream tooling.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script prints full order details, including pickup and delivery addresses, courier name, and courier phone number, directly to stdout without any masking, access check, or warning. In a delivery skill, this data is highly sensitive personal and operational information; if logs, terminal history, or shared execution environments are exposed, it can leak user and rider PII and enable stalking, harassment, or social engineering.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal