Amazon Product Details API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI wrapper for Amazon product details, with one credential-handling caveat: its API token is sent as a query parameter to the intended service.

Install only if you trust JustOneAPI and are comfortable with your token being sent to api.justoneapi.com as a URL query parameter. Use a limited or revocable token if available, avoid sharing command output or logs that may include request URLs, and rotate the token if you suspect it was logged.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill sends the API authentication token in the URL query string (`token`), which is commonly logged by clients, proxies, gateways, server access logs, browser history, and observability tooling. Even though the request goes to HTTPS, query parameters are still widely exposed in metadata and error reporting, so the credential can be unintentionally disclosed and reused by anyone who obtains those logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal