Back to skill

Security audit

Icp Query - 网站备案查询

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward TianAPI ICP lookup skill, with the main caution being less-safe API key handling examples.

Prefer setting TIANAPI_ICP_KEY through your shell or a managed secret store. Avoid passing the key on the command line, do not commit scripts/.env, and remember each lookup sends the queried domain and your TianAPI API key to TianAPI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation indicates capabilities to read environment variables, read local files, and make network requests, but it does not declare corresponding permissions. This creates a transparency and governance gap: users and hosting platforms may not realize the skill can access secrets and exfiltrate data over the network.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly tells users to pass the API key as a command-line argument. Command-line secrets can be exposed through shell history, process listings, logs, terminal recording tools, or CI job output, making credential theft much easier.

Credential Access

High
Category
Privilege Escalation
Content
# 方式一:环境变量(推荐,一次配置永久生效)
    export TIANAPI_ICP_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_ICP_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
Confidence
80% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
export TIANAPI_ICP_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_ICP_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
    python3 scripts/fetch_icp-query.py 你的APIKey www.baidu.com
Confidence
78% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.