Bilibili User Relation Stats API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API helper for one Bilibili stats endpoint, with a real but disclosed caution that the API token is sent in the URL query string.

Install only if you are comfortable using a JustOneAPI token for this endpoint and understand that the token will be sent as part of the request URL. Keep the token in an environment variable, avoid sharing command logs or full request URLs, and rotate the token if you think it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the API access token as a query parameter and later appends all query parameters directly into the URL. Query-string secrets are commonly exposed via logs, browser history, proxy/CDN logs, monitoring systems, crash reports, and referrer leakage, so the token may be disclosed beyond the intended recipient. In this CLI/API skill context, that risk is real because the code deterministically places the credential into the request URL for every call.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal