Back to skill

Security audit

Keruyun Api Fetcher

Security checks across malware telemetry and agentic risk

Overview

This looks like an API documentation skill, but its catalog contains verified mismatches in sensitive business and financial workflows that could cause wrong API use.

Install only if you need a Keruyun API reference and will manually verify endpoint paths against official documentation before using it. Do not let an agent execute workflows directly from this catalog, especially for payments, transfers, coupons, stored value, points, refunds, or callbacks, until the mappings and examples are audited.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (21)

Intent-Code Divergence

High
Confidence
83% confidence
Finding
An entry labeled as a stored-value feature actually points to the membership-level-rules endpoint and response schema, which can cause an agent or integrator to invoke the wrong privileged business operation. In a skill that relies on this catalog for autonomous API selection, that confusion can lead to unauthorized or incorrect financial/member actions and integrity-impacting workflows.

Intent-Code Divergence

High
Confidence
83% confidence
Finding
A points feature that reuses an unrelated membership-level-rules endpoint is dangerous in an agent skill because action selection may be based on the label rather than the true path. That can make the agent issue unintended calls, mis-handle permissions, or fabricate business logic around loyalty operations using the wrong backend contract.

Intent-Code Divergence

High
Confidence
85% confidence
Finding
Labeling an endpoint as coupon-template functionality while actually wiring it to a membership-level-rules API is especially risky because coupon operations often influence entitlement, redemption, or pricing behavior. An AI agent using this catalog could take wrong actions against a privileged CRM interface, resulting in business logic abuse or unauthorized changes in production workflows.

Intent-Code Divergence

High
Confidence
85% confidence
Finding
A coupon-instance feature mapped to an unrelated endpoint creates a high risk of agent mis-execution because coupon issuance/redemption is sensitive and often financially relevant. In this skill context, the API catalog is likely an execution source of truth, so inaccurate endpoint mapping can directly cause unauthorized or harmful business operations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Several membership-related API records have names/titles such as recharge, points, coupon template, and coupon instance, but all map to the same unrelated endpoint path '/open/standard/crm/listLevelRules'. In an agent skill, this kind of metadata-to-endpoint mismatch can cause the agent or downstream tooling to invoke the wrong operation, leading to incorrect data access, failed business actions, or accidental exposure/modification of customer membership data.

Intent-Code Divergence

High
Confidence
85% confidence
Finding
These entries map high-impact business functions like stored value, points, coupon template, and coupon instance to the same unrelated level-rules endpoint. In a skill or integration context, this can cause transactions or entitlement logic to be routed to the wrong API, leading to incorrect data handling, broken authorization assumptions, or silent business-logic failures around customer assets.

Intent-Code Divergence

High
Confidence
88% confidence
Finding
This section contains broad contradictions between endpoint names, descriptions, and behaviors, including fund operations and write actions mislabeled as read-only or unrelated queries. In an agent skill, such mismatches materially increase the chance of unsafe autonomous actions, accidental state-changing calls, or mis-scoped handling of financial and inventory operations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The mapping labels coupon write operations such as redemption and reversal as the coupon query API, which can cause an integrator or agent to invoke the wrong endpoint for state-changing actions. In a skill that drives downstream API selection, this is dangerous because it can silently break authorization assumptions, produce failed or inconsistent coupon state transitions, or encourage unsafe fallback logic against third-party endpoints.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
Multiple stored-value and points operations are mapped to a level-rules listing API, meaning sensitive financial or loyalty mutations are associated with a read-style endpoint. In an API-mapping skill, this can misroute money-like operations, cause unauthorized or failed updates, and create accounting inconsistencies if callers implement compensating behavior based on bad documentation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The ordering operation '扫码点餐先付模式下单' is mapped to a product pagination query API instead of an order-creation endpoint. Because this file appears to guide API usage for solutions, such a mismatch can make automated agents choose the wrong endpoint for checkout flows, leading to order failure, malformed requests, or unsafe retry and fallback behavior in payment-adjacent logic.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
Mapping a payment refund notification to an order-change reporting event can cause refund events to be consumed by the wrong handler or ignored entirely. In payment-related flows this can delay reconciliation, hide refund status changes, and create integrity issues that affect financial records and customer balances.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Using an unspecified callback path of 'third-party provided' leaves the actual receiver undefined, which is dangerous in an agent or integration skill because implementers may bind arbitrary endpoints without documented authentication or verification requirements. This ambiguity increases the risk of insecure webhook exposure, spoofed event delivery, or data being sent to the wrong destination.

Vague Triggers

Medium
Confidence
78% confidence
Finding
An unspecified callback path for product events creates ambiguity around where sensitive business notifications should be delivered and how they should be authenticated. In this skill context, vague webhook definitions can cause insecure default implementations or acceptance of unauthenticated requests from arbitrary sources.

Vague Triggers

Medium
Confidence
78% confidence
Finding
A placeholder third-party callback path for inventory changes is a real security concern because inventory feeds can drive automated downstream actions. Without a defined secure callback contract, implementers may expose unauthenticated endpoints vulnerable to spoofed stock updates or denial-of-service through event flooding.

Vague Triggers

Medium
Confidence
78% confidence
Finding
A vague callback definition for booking-order changes can lead to insecure ingestion of reservation events, especially if consumers trust undocumented payloads without origin verification. In an automation setting, forged or misrouted callbacks could alter booking state or trigger incorrect customer-facing workflows.

Vague Triggers

Medium
Confidence
78% confidence
Finding
An unspecified callback endpoint for order-status notifications is dangerous because it invites insecure ad hoc implementation of a receiver for transactional data. If agents or developers use this as-is, they may create endpoints that accept untrusted status changes, enabling spoofing or business-process manipulation.

Vague Triggers

Medium
Confidence
78% confidence
Finding
A generic 'third-party provided' path for reservation status messages provides no secure integration boundary. In a skill-driven environment, this can result in unsafe assumptions about trust, transport, and validation for events that may change reservation state or customer communications.

Vague Triggers

Medium
Confidence
78% confidence
Finding
A vague callback path for C-end booking status changes can expose consumers to forged notifications or accidental disclosure if routed incorrectly. Because these events may affect customer bookings and downstream automation, missing endpoint specificity and auth guidance materially increases implementation risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file includes plaintext example member PII such as full mobile number, name, email, and birthday. Even though this is documentation data, publishing realistic personal data in a reusable skill increases privacy exposure, can propagate into logs and training corpora, and normalizes unsafe handling of sensitive customer information.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"orgType": "COMPANY"
        }
      ],
      "autoConfirmAndExecute": true,
      "remark": "测试测试测试"
    },
    "url": "https://open.keruyun.com/docs/zh/3dM-KJ0BzLbxthFvwnxq"
Confidence
88% confidence
Finding
autoConfirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"orgType": "COMPANY"
            }
          ],
          "autoConfirmAndExecute": true,
          "remark": "测试测试测试"
        }
      },
Confidence
86% confidence
Finding
autoConfirm

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.