ClawHub

IMDb Keyword Search API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow IMDb search connector for JustOneAPI, with a credential-handling caveat because the API token is placed in the request URL.

Install only if you are comfortable sending a JustOneAPI token to api.justoneapi.com for IMDb searches. Use a scoped or low-privilege token if available, avoid sharing command lines or logs that may contain full request URLs, and rotate the token if you believe a URL containing it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The skill description says the API is for IMDb keyword search with a searchTerm, but the actual operation also requires a user authentication token. This mismatch can mislead users or calling agents about the true data they must supply, increasing the chance that credentials are requested or transmitted without clear disclosure to the user.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the authentication token as a query parameter and injects it into the request URL, which causes the secret to be exposed in places where URLs are commonly logged or retained, such as browser history, proxy logs, server access logs, monitoring tools, and error messages. Although the request uses HTTPS, putting credentials in the URL is still unsafe because the token may leak through operational telemetry and downstream systems beyond transport encryption.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Passing an authentication token in the query string is dangerous because query parameters are commonly logged by clients, proxies, gateways, browser history, and observability systems. In this skill, the token is sent to an external third-party API and there is no visible warning or safer auth mechanism, which raises the risk of accidental credential exposure and reuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal