ClawHub

Douban Movie Recent Hot Tv API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI wrapper for one Douban TV endpoint, with a real token-in-URL handling caveat but no hidden or unrelated behavior found.

Install only if you trust JustOneAPI and are comfortable using a JUST_ONE_API_TOKEN with api.justoneapi.com. Prefer a scoped or revocable token, avoid sharing token values in chat or logs, and be aware that this API design places the token in the request URL query string.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly defines the API access token as a query parameter and later appends all query parameters to the URL, causing the credential to be placed in the request URI. Query-string secrets are commonly exposed through logs, browser history, intermediary proxies, monitoring systems, and error reports, making credential leakage significantly more likely even when HTTPS is used.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API requires an access token in a query parameter, but the manifest provides no user-facing warning that a credential will be transmitted this way. Query parameters are commonly logged by clients, proxies, gateways, and server access logs, which increases the risk of token exposure beyond the immediate request.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
97% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal