ClawHub

Beike API

Security checks across malware telemetry and agentic risk

Overview

This is a focused Beike data API wrapper, with a real but disclosed caution that its JustOneAPI token is sent in URL query parameters.

Install only if you trust JustOneAPI and are comfortable sending JUST_ONE_API_TOKEN to api.justoneapi.com. Avoid logging full request URLs or command output, use a limited-scope token if available, and rotate the token if it may have appeared in logs or debugging traces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires the authentication token to be transmitted as a query parameter, and the code automatically injects it into the request URL. Query-string secrets are commonly exposed via logs, proxies, browser/history tooling, monitoring systems, and error reporting, making token leakage much more likely than if the token were sent in an Authorization header.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This operation requires a user authentication token to be sent as a query parameter to an external API. Query parameters are commonly exposed in logs, browser history, analytics, proxies, and monitoring systems, so placing credentials there increases the chance of credential leakage even when HTTPS is used.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This second operation repeats the same insecure pattern by requiring an authentication token in the URL query string for a third-party API call. Reuse of this pattern across endpoints broadens exposure because any intermediary logging or request capture can reveal valid credentials across multiple workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The resale housing list endpoint also places the required user token in a query parameter, creating the same credential exposure risk. Because the skill is a data-integration wrapper around an external service, this context makes the issue more significant: users may not realize their secret is being forwarded off-platform and potentially logged in multiple places.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation specifies an authentication token in a query parameter, which is risky because query strings are commonly logged by servers, proxies, browser history, analytics tools, and monitoring systems. Even though this is documentation rather than executable code, it normalizes an insecure authentication pattern and may cause downstream clients to transmit sensitive credentials in places that are broadly exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This endpoint documentation again requires a token in the query string, creating the same credential exposure risk through access logs, intermediary systems, and accidental URL sharing. In the skill context, this is more dangerous because agent integrations often construct URLs automatically and may log full requests during debugging or telemetry, increasing the chance of token disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The resale housing list endpoint also documents token-based authentication via query parameter, which can expose credentials anywhere full URLs are stored or forwarded. Because this skill is intended for workflow and market-data integrations, repeated insecure examples across endpoints increase the likelihood that developers will adopt the pattern broadly, amplifying exposure across multiple requests and systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal