Back to skill

Security audit

Jd Express Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent JD package-tracking skill, with expected privacy caveats around waybill data and JD session tokens.

Use this only for JD shipments you are authorized to check. Provide the JD session token through a secure secret/auth mechanism, do not hard-code or log it, and remember that queried waybills may be kept in a small local recent-history cache.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill handles waybill detail queries that may expose shipping-related personal data and explicitly requires a valid JD session token, but it does not warn users or integrators about the sensitivity of the returned data or the authentication requirement. This can lead to inappropriate use, over-broad disclosure, or insecure handling of recipient/sender information in downstream agent flows.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document explicitly identifies `js-token` as a critical authentication header but provides no guidance on secure handling, storage, redaction, or user consent. In a logistics-tracking skill, this can lead implementers to embed, log, or transmit session tokens insecurely, enabling unauthorized access to account-linked shipment data or session misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.