Bilibili Video Danmaku API

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused JustOneAPI helper for fetching Bilibili danmaku, with a real but disclosed token-in-URL handling risk.

Install only if you trust JustOneAPI and are comfortable sending a JUST_ONE_API_TOKEN to api.justoneapi.com. Use a restricted or easily revocable token if possible, and avoid sharing logs, screenshots, or full request URLs because the token may appear in the query string.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the API token as a query parameter and automatically appends it to the request URL. Query-string secrets are commonly exposed through logs, browser history, proxy/CDN logs, monitoring systems, and error messages, so the token may be leaked even when HTTPS is used. In this skill, the risk is real because the code explicitly injects the token into params and then serializes all query parameters into the URL.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest defines an access token as a required query parameter without any user-facing disclosure or safer authentication scheme. Query-string secrets are commonly exposed in logs, browser history, proxy traces, and telemetry, making credential leakage more likely if the skill is invoked through multiple intermediaries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal