Back to skill

Security audit

UpKuaJing Company and People Search

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it queries UpKuaJing for company, people, and contact data, but users should treat the returned personal data and paid API calls carefully.

Install only if you intend to use UpKuaJing for paid company or people-data lookups. Use a dedicated API key, confirm fees before running searches or enrichments, and treat saved result files as sensitive personal/business data that may need deletion, access control, and lawful-use review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This module introduces outbound network access and local filesystem writes for version checking, which are not necessary for the core stated purpose of searching company and people data. Even if intended as a normal update notifier, it expands the skill's trust boundary, creates an extra telemetry/update channel, and can expose environment metadata such as skill usage patterns or enable unexpected network activity in restricted environments.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly offers retrieval of personal contact data such as email, phone, and WhatsApp, but provides no privacy warning, lawful-use guidance, or consent checks. In context, this materially increases the risk of privacy violations, unauthorized profiling, scraping, or targeted outreach using sensitive personal data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This API reference explicitly documents search and filtering over contact details and personal attributes such as gender, interests, skills, languages, certifications, phone, email, and WhatsApp presence, but provides no privacy, lawful-use, consent, or access-control guidance. In the context of a people-search skill marketed for customer development and background checks, this materially increases the risk of targeted profiling, scraping, and misuse of personal data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends company or person identifiers to a remote API endpoint that returns sensitive contact data such as email, phone, WhatsApp, and websites, but it provides no explicit user-facing notice about the outbound transmission or the sensitivity of the returned data. In a contact-enrichment skill, this behavior is functionally expected, but it still creates privacy and compliance risk because users may process personal data without clear disclosure, consent checks, or handling guidance.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script persists retrieved person records and task metadata to local files by default, but gives no explicit notice, consent step, retention policy, or access-control safeguards. In the context of a people-search skill that returns contact details and background information, silent local storage increases privacy, compliance, and unauthorized disclosure risk if the host system is shared, misconfigured, or later compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.