足球联赛查询 - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward football schedule and standings lookup tool, but users should protect the required Juhe API key.

Install only if you are comfortable using a Juhe API key for football-data lookups. Prefer the environment-variable option over passing the key on the command line, avoid sharing logs or shell history containing the key, watch your Juhe quota, and consider changing the endpoint to HTTPS if Juhe supports it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The documentation tells users to call the API over plain HTTP and place the API key directly in the URL query string. This exposes the key to interception by network observers and can also leak it through logs, proxies, browser history, or monitoring systems, enabling unauthorized use of the account quota.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Both API endpoints use plain HTTP, so the API key and response data are transmitted without transport encryption. An attacker on the network path could intercept or modify traffic, steal the key, replay requests, or tamper with returned sports data.

VirusTotal

No VirusTotal findings

View on VirusTotal