Douban Movie Review Details API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI helper for one Douban review-detail lookup, with a real but disclosed caution that its API token is sent as a query parameter.

Install only if you trust JustOneAPI with the API token. Use a limited-scope token if available, avoid sharing command output or full request URLs, and rotate the token if it may have appeared in logs, screenshots, shell history, proxies, or error reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest exposes an access token as a normal query parameter without any user-facing warning, secure handling guidance, or indication that it is sensitive. This increases the chance that the token could be requested from users unnecessarily, logged in telemetry, embedded in URLs, or leaked through browser history, proxies, or monitoring systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal