ClawHub

Beike Community List API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI wrapper for one Beike community-list endpoint, with a real credential-handling caution because it sends the API token in the URL query string.

Install only if you are comfortable using a JustOneAPI token for this endpoint. Use a minimally scoped token if available, avoid sharing full request URLs or error logs, and rotate the token if you think a URL containing it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires an authentication token as a query parameter and then appends all query parameters directly to the request URL. Tokens in URLs are commonly exposed through logs, browser/history tooling, reverse proxies, monitoring systems, and error messages, making accidental credential disclosure more likely even when HTTPS is used. In this skill context, the issue is more dangerous because the token is a required auth secret for a third-party API and the code provides no warning or safer alternative.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing an authentication token in a query parameter is dangerous because query strings are commonly logged by clients, proxies, servers, analytics systems, and browser history, increasing the chance of credential leakage. Even over HTTPS, the token may be exposed through operational telemetry or accidental sharing of full URLs, enabling unauthorized API access if the token is reused or long-lived.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents a user authentication token as a query parameter without any warning about secret handling, which increases the likelihood that agents or integrators expose the token in logs, telemetry, browser history, or error traces. Passing credentials in the URL is especially risky because query strings are commonly captured by infrastructure and monitoring systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal