Bilibili Video Comments API

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused JustOneAPI wrapper for Bilibili video comments, with a real but disclosed API-token handling risk.

Install only if you are comfortable sending a JustOneAPI token to api.justoneapi.com for this endpoint. Prefer keeping the token in the JUST_ONE_API_TOKEN environment variable, avoid sharing command lines or logs that contain the token, and rotate the token if you suspect full request URLs were exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the API access token as a query parameter and then appends all query parameters directly into the request URL. Tokens in URLs are commonly exposed through logs, browser/history equivalents, proxy traces, analytics, crash reports, and upstream monitoring systems, making accidental credential disclosure more likely than if the token were sent in an Authorization header.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal