Amazon Best Sellers API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API helper for JustOneAPI Amazon Best Sellers, with a disclosed token requirement and no hidden local access or persistence.

Install only if you trust JustOneAPI and are comfortable sending category lookups to that service. Keep JUST_ONE_API_TOKEN secret, avoid sharing command output or URLs that may contain it, review provider pricing/rate limits, and rotate the token if it appears in logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Passing an authentication token in the query string is risky because URLs are commonly logged by servers, proxies, analytics systems, browser history, and monitoring tools. This increases the chance of credential leakage and unauthorized reuse of the token, especially in multi-tenant API infrastructure or debugging environments.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation explicitly places an authentication token in a query parameter, which is risky because query strings are commonly logged by servers, proxies, analytics tools, browser history, and monitoring systems. Even though this is API documentation rather than executable code, it encourages an insecure authentication pattern that can lead to credential disclosure and downstream account or API misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal