多平台快递查询

Security checks across malware telemetry and agentic risk

Overview

This is a coherent package-tracking helper that may send tracking numbers to courier or aggregator websites as part of its intended use.

Install only if you are comfortable using it for China-focused courier lookups. Tracking numbers may be entered into third-party aggregator or courier websites, and any requested phone verification, login, or captcha should be handled deliberately, preferably on the courier’s official site.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are very broad generic requests like '帮我查一下快递' and '快递到哪了', which can match common conversation with little disambiguation. Overbroad activation can cause the wrong skill to run, leading to unintended browsing, logistics lookups, or collection/processing of tracking numbers when the user did not clearly intend to invoke this skill.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: Mandating Chinese output without offering language choice can cause the skill to respond in a language the user does not understand, increasing the chance of miscommunication about delivery status, exceptions, or next steps. In a logistics-support context, misunderstood status or remediation advice can lead to user confusion and mishandling of time-sensitive package issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal