Safety Report

uu跑腿

Name: uu跑腿
Author: uupt-mcp

UU跑腿同城配送服务。支持跑腿配送和帮忙服务两种订单类型，包括订单询价、发单下单、查询订单、取消订单、骑手实时追踪。当用户表达任何与"送"、"取"、"寄"、"跑腿"、"发单"、"配送"、"帮忙"、"帮我"、"代取号"、"代排队"、"搬东西"等配送或帮忙需求时使用此skill。

69Downloads

0Installs

0Stars

1Versions

Security Analysis

high confidence

Suspicious0.04 risk

This delivery skill is not malware, but it needs review because it can place paid real-world courier orders and handles personal/order data with weak confirmation and privacy controls.

May 29, 202612 files5 concerns

Purpose & Capabilityconcern

The core delivery, pricing, order creation, cancellation, and rider tracking capabilities match the stated UU跑腿 purpose, but the skill explicitly tells the agent to create orders immediately after pricing without a final confirmation, which is high-impact real-world and financial authority.

Instruction Scopeconcern

The trigger text includes broad phrases such as everyday help requests, and the runtime instructions collect phone numbers and addresses, continue after registration, and place orders without a final user review step.

Install Mechanismnote

Installation is limited to common dependencies such as axios and requests and there is no observed install-time execution, but the manifest declares no environment variables even though the code and docs use UUPT_* credentials and identifiers.

Credentialsconcern

Network access to the UU跑腿 API is expected, but registration also contacts multiple public IP lookup services, and WeChat payment QR generation sends payment URLs to api.qrserver.com; these extra third-party data flows are not clearly disclosed up front.

Persistence & Privilegeconcern

The skill writes account-linked openId or supplied credentials to config.json and may write payment_qrcode.png in the skill directory, with limited guidance on file permissions, retention, or use on shared machines.

Guidance

Review before installing. Use this only if you intend the agent to handle real UU跑腿 orders, and require a final confirmation that shows addresses, phone number, service note, price, and payment method before any order is placed. Avoid using it on shared machines unless you are comfortable with config.json storing account-linked identifiers or credentials, and be aware that registration and payment QR flows may contact third-party services beyond UU跑腿.

Latest Release

v1.0.0

uupt-delivery 1.0.6 introduces a comprehensive UU跑腿同城配送服务 skill, supporting express local errands and help services: - Provides order inquiry, creation, status query, cancellation, and rider real-time tracking, with detailed usage docs. - Supports both Node.js and Python, with automatic runtime detection and installation guides for both environments. - Implements full new user onboarding via developer credentials or phone number registration. - Differentiates between "跑腿配送" and "帮忙服务" orders, auto-detects scenario per user input, and details necessary parameters for each. - Includes robust payment handling (balance, third-party pay, WeChat QR, recharge notice for help orders). - Supplies templates and command examples for all common user intents (order, cancel, status, tracking).

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @uupt-mcp on ClawHub