Facebook API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward JustOneAPI Facebook API wrapper, with a real but disclosed token-handling weakness users should account for.

Install only if you are comfortable sending a JustOneAPI token and your Facebook search/profile inputs to JustOneAPI. Use a scoped or disposable token if available, avoid sharing command lines or logs that may contain the token, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill sends the API authentication token as a query string parameter, which is routinely exposed in browser history, proxy logs, server access logs, monitoring tools, and error messages. Even though the transport uses HTTPS, placing secrets in the URL materially increases accidental credential leakage risk compared with using an Authorization header or request body for non-GET flows.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script transmits user-supplied inputs and credentials to an external domain (api.justoneapi.com) without any user-facing notice at execution time. In a skill context, this can surprise users into sending sensitive tokens, profile identifiers, keywords, or URLs off-platform, increasing privacy and data-handling risk even if the endpoint is legitimate.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The endpoint requires an authentication token in the URL query string, which is prone to accidental disclosure through browser history, server logs, reverse proxies, analytics tools, and referrer headers. Because this file is API documentation for a skill, the pattern is more dangerous: it encourages downstream integrators and agents to handle credentials insecurely by design.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This endpoint also documents a security token in the query string, creating the same credential-leakage risk across routine request handling and observability systems. Repeating the pattern across multiple operations increases the chance that consumers normalize unsafe secret handling and expose tokens at scale.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The search endpoint exposes the same insecure authentication model by placing the API token in the query string, where it may be captured by intermediaries and monitoring systems. In a search workflow, requests may be frequent and broadly integrated, which increases exposure surface and the likelihood of token leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal