ClawHub

Facebook Post Search API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI wrapper for Facebook post search, with the main caution that its API token is sent as a URL query parameter.

Install only if you trust JustOneAPI and are comfortable with its token being sent to that service in the request URL. Prefer a scoped token if available, avoid sharing logs or request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill places the authentication token in a URL query parameter via `applyQueryParams`, which means the secret can be exposed in logs, browser/history equivalents, proxy infrastructure, monitoring tools, and upstream server access logs. In this skill context, the token is a required security credential for an external API, so transmitting it in the query string unnecessarily increases the chance of credential leakage beyond the immediate request path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API documentation instructs callers to send a sensitive authentication token in the URL query string. Query parameters are commonly exposed in browser history, server and proxy logs, analytics systems, referrer headers, and monitoring tools, which increases the chance of credential leakage even when HTTPS is used. In this skill context, the risk is more credible because the token is explicitly required for every request and the operation is a simple GET endpoint that encourages routine reuse of the secret.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal