ClawHub

UpKuaJing Customs Trade Company Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid API integration for UpKuaJing trade and company data, with manageable risks around API-key storage, paid calls, and local result files.

Install only if you trust UpKuaJing and intend to use a paid API key. Use a dedicated key if possible, confirm query counts and fee counts before any run, verify any top-up payment URL before paying, and delete local task_data results when they contain sensitive business leads or contacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script persists retrieved customs trade records to a task result file via append_result_data() and later exposes the file path/URL in output, but it provides no consent notice, retention policy, access control indication, or data-minimization guardrails. In this skill's context, the data includes trade order details and business contact information, so silent local persistence increases the risk of unintended disclosure, over-retention, or secondary access by other users/processes on the host.

Credential Access

High
Category
Privilege Escalation
Content
"envFilePath": str(env_file)
        }

    # 保存到 .env 文件
    try:
        with open(env_file, 'w', encoding='utf-8') as f:
            f.write(f"{API_KEY_ENV}={api_key}\n")
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
except IOError as e:
        return {
            "success": False,
            "message": f"API密钥申请成功,但保存到 .env 文件失败:{str(e)}。\n请手动设置环境变量 {API_KEY_ENV}。",
            "envFilePath": str(env_file)
        }
Confidence
79% confidence
Finding
.env

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal