Douban Movie Movie Reviews API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI wrapper for fetching Douban movie reviews, with disclosed credential use but some token-handling hygiene risks.

Install only if you are comfortable sending a JustOneAPI token to api.justoneapi.com. Use a limited or revocable token, avoid running the CLI on shared systems where command-line arguments or request URLs may be logged, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the API token as a query parameter and later appends all query parameters directly into the URL. Query-string credentials are commonly exposed through logs, browser/history artifacts, proxies, monitoring systems, error messages, and upstream infrastructure, making accidental credential disclosure more likely than if the token were sent in an Authorization header.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest requires a token parameter but provides no user-facing warning that a credential must be supplied to a third-party endpoint. This can lead users or calling agents to transmit sensitive API credentials without clear disclosure, increasing the risk of inadvertent secret exposure, misuse, or unsafe handling in logs and debugging traces.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal