Back to skill

Security audit

Tianapi Kuaidi - 快递物流查询

Security checks across malware telemetry and agentic risk

Overview

This is a coherent shipment-tracking helper that calls TianAPI with user-supplied tracking details, though those details are shared with that third-party service.

Before installing, be comfortable sending shipment tracking numbers, carrier identifiers, and any required phone suffix to TianAPI. Prefer an environment variable for the API key, and provide the phone suffix only when the carrier requires it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill documentation instructs use of environment variables, local files, and outbound network access to a third-party API, but the skill does not explicitly declare corresponding permissions. This creates a transparency and governance gap: users or platforms may not realize the skill reads secrets and transmits shipment-related data externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends tracking numbers and, in some cases, the last four digits of a phone number to TianAPI, but the documentation does not warn users that this information will be disclosed to a third party. Tracking data and phone suffixes can be sensitive personal or transactional information, so the lack of notice undermines informed consent and privacy expectations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends shipment tracking numbers and, for some carriers, the last four digits of a phone number to a third-party API without any explicit privacy notice, consent check, or masking. While this is necessary for the feature to work, these values are personal or sensitive operational data, and transmitting them externally can create privacy and compliance risk if users are not clearly informed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.