Beike Resale Housing List API

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate JustOneAPI helper, with a caution that it sends the service token in the request URL.

Install only if you trust JustOneAPI and need this Beike API wrapper. Use a scoped or revocable token, avoid exposing command lines or request URLs in logs, and rotate the token if you think URLs may have been captured by proxies, monitoring, or error logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill requires an authentication token to be sent as a URL query parameter, which is less secure than using an Authorization header. Query parameters are commonly logged by client tooling, proxies, servers, browser history, and monitoring systems, so the token can be unintentionally exposed and reused by anyone who obtains those logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal