ClawHub

Bilibili Video Search API

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but its JustOneAPI token is sent in the request URL and should be handled carefully.

Install only if you are comfortable sending your JustOneAPI token to api.justoneapi.com as a URL query parameter. Avoid sharing logs, terminal history, screenshots, or error output that might contain request URLs, and prefer a future version that supports Authorization-header authentication if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the API token as a query parameter and automatically injects it into the request URL. Query-string credentials are commonly exposed through logs, browser/history tooling, proxy infrastructure, monitoring systems, and error messages, making accidental credential disclosure more likely even when HTTPS is used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest requires an API access token as a query parameter and does not provide any user-facing warning that credentials will be transmitted to an external third-party service. Sending sensitive tokens in query strings is risky because they may be logged by clients, intermediaries, or servers, increasing the chance of credential exposure.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation requires a `token` query parameter but provides no warning about secure credential handling, which can encourage implementations that place secrets in URLs. Query-string tokens are commonly logged by clients, proxies, analytics systems, and server access logs, increasing the risk of credential leakage and unauthorized API use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal