IMDb News by Category API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI IMDb news lookup skill, with the main caveat that its API token is sent in the URL query string.

Install only if you trust JustOneAPI and are comfortable with this service using URL-based tokens. Use a limited-scope token if available, avoid sharing command output or logs that may include request URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill requires the authentication token to be sent as a URL query parameter, which is unsafe because query strings are commonly recorded in logs, browser history, proxies, monitoring systems, and error reports. Even though the request is sent over HTTPS, placing secrets in the URL increases the chance of credential leakage beyond the intended recipient.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The API requires the authentication token to be sent in the URL query string, which is commonly logged by clients, proxies, gateways, browser history, analytics systems, and server access logs. This increases the chance of credential leakage and unauthorized reuse of the token even if TLS is used in transit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal