小递查查-快递批量查询API技能

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: query courier tracking data through a third-party API and optionally save the results locally.

Install only if you trust xdccy.com with shipment identifiers, optional phone-tail digits, and API account details. Use limited credentials where possible, avoid bulk files with unnecessary customer data, and protect or delete exported result files because they may include detailed logistics history and courier contact information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are broad enough that ordinary requests about package status or location could invoke the skill automatically without adequate confirmation. In this skill, accidental activation is more significant because execution may send sensitive shipment identifiers and credentials over the network and optionally create local export files.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill requests PlatformID, MemberID, and APIKey and directs the agent to query a third-party service, but it does not clearly warn that credentials and shipment data will be transmitted over the network and that results can be exported to files. This creates a real risk of unintended disclosure of API secrets, tracking numbers, phone suffixes, and logistics details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal