Back to skill

Security audit

Lajifenlei - 垃圾分类

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward garbage-classification lookup tool that sends the queried item and a TianAPI key to TianAPI, with no evidence of hidden or destructive behavior.

Prefer setting TIANAPI_LAJIFENLEI_KEY as an environment variable instead of passing the key on the command line or placing it in a copied URL. Expect the skill to send your queried item name and API key to TianAPI. Also note that the current examples may need adjustment to use --key and --word, and the advertised JSON mode appears incomplete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Passing the API key directly on the command line can expose the secret through shell history, process listings, terminal logging, and CI job logs. In shared or monitored environments, another local user or logging system could recover the key and use the third-party API under the victim's account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.