Douban Movie Subject Details API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow API helper for looking up Douban movie details, with a credential-handling caution because the provider token is sent in the request URL.

Install only if you are comfortable sending a JustOneAPI token and Douban lookup IDs to api.justoneapi.com. Use a revocable token where possible, avoid logging full request URLs, and rotate the token if you suspect a URL containing it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill defines the API access token as a query parameter and later appends all query parameters directly to the URL. Query-string secrets are commonly exposed through logs, browser history, proxy/CDN logs, monitoring systems, and error messages, which increases the chance of credential leakage even when HTTPS is used. In this skill context, the danger is real because the CLI explicitly injects the token into the request URL for every call.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal