uupt-delivery

Security checks across malware telemetry and agentic risk

Overview

This delivery skill is mostly coherent, but it deserves review because it can place real courier orders and expose phone, address, IP, rider, and payment-link data with weak confirmation and privacy controls.

Review before installing. Use it only if you intend to link a UU delivery account and are comfortable sharing phone numbers, addresses, public IP, order details, rider contact/location data, and payment links with the involved services. Do not let an agent place or cancel orders unless it first summarizes the details and gets explicit confirmation. Avoid sharing terminal logs from this skill, and prefer environment variables or a protected config location for credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The registration and credential-handling flow asks the agent to collect appId, appSecret, openId, phone numbers, SMS codes, and to write them into local configuration. Even if functionally related to onboarding, this expands the skill from delivery ordering into credential collection and secret storage, increasing the risk of mishandling sensitive data and normalizing the agent as a credential broker.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill includes payment handling behavior, including sending payment links and QR codes, but this financial-action surface is not clearly declared in the top-level description. Hidden or under-disclosed payment behavior is risky because users may invoke what seems like a delivery helper without realizing it can initiate real payment workflows.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill sends the payment URL to api.qrserver.com to generate a QR code, disclosing order/payment metadata to an unrelated third party outside the stated delivery provider. This expands the trust boundary and can leak sensitive transaction links or enable third-party tracking of user payment activity.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger text is extremely broad, including common phrases like '帮我' and other everyday words that can appear in many unrelated conversations. In context, this is more dangerous because the skill can lead to real-world ordering and payment flows, so accidental activation could steer users into sensitive actions they did not intend.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to create a real-world service order immediately after pricing, without a final user confirmation. This is dangerous because it can commit the user to a delivery request, expose personal data to a third party, and potentially trigger charges or operational dispatch based on misunderstood or incomplete input.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill queries multiple third-party IP-discovery services to obtain the user's public IP, which discloses network metadata to unrelated external providers. In this delivery/authorization context, the IP may be required by the upstream UU API, but sending it to several fallback services without explicit consent or disclosure unnecessarily expands data exposure and creates additional privacy risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The function sends a user's mobile number, public IP, and optional image code to an external service as part of SMS verification, which is sensitive personal data. Although this is expected for a courier-service registration flow, the code provides no explicit user-facing notice, consent mechanism, or data-handling safeguards beyond basic transport to the API.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The authorization flow persists the returned openId into a local config file automatically, creating credential storage on disk without explicit notice or protection. While openId may be needed for subsequent API calls, silent persistence increases the risk of credential leakage through local file access, backups, or source packaging mistakes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script prints personally identifiable information and real-time location data to stdout, including driver name, phone number, coordinates, and distance. In a delivery-tracking context this data may be legitimate for authorized users, but exposing it without masking, access checks, minimization, or a privacy notice increases the risk of unintended disclosure through logs, terminals, screenshots, or shared automation environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script prints full order details, including pickup/dropoff addresses and the rider's phone number, directly to stdout without masking or access-control checks. In CLI and agent environments, stdout is often logged, surfaced to other tools, or visible to unintended operators, so this can leak personal and operational data beyond the user who requested the order lookup.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill queries multiple third-party IP-discovery services to obtain the user's public IP without prior notice or consent. This exposes network metadata and potentially links the user to several unrelated services, increasing privacy risk beyond what is necessary for the delivery workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal