Beike Resale Housing Details API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a focused JustOneAPI data-retrieval skill that uses a user token for its API, with a credential-handling caveat but no evidence of hidden or unrelated behavior.

Install only if you are comfortable sending a JustOneAPI token to JustOneAPI for these endpoint calls. Prefer a low-scope or disposable token, avoid pasting token values into chat or logs, and rotate the token if you suspect command output, URLs, or debug logs exposed it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill requires a user authentication token as a query parameter to an external API but provides no user-facing warning about credential handling, transmission, or storage. Passing secrets in query strings is especially risky because they may be exposed in logs, telemetry, browser history, proxy caches, and debugging tools, increasing the chance of credential leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal