IMDb Streaming Picks API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI client for IMDb streaming picks, with the main caution that its API token is sent in the request URL.

Install only if you trust JustOneAPI and are comfortable with the API token being passed in the URL. Use a low-scope or revocable token where possible, avoid sharing logs or command output that might include request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill defines the authentication token as a query parameter and automatically injects it into the request URL. Query-string credentials are commonly exposed through logs, browser/history artifacts, proxy caches, monitoring systems, and error messages, so the token may be disclosed even though the request uses HTTPS. In this skill context, the risk is real because the tool is a generic API wrapper and gives no warning that secrets will be placed in the URL.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The API documentation specifies an authentication token in the URL query string, which is commonly logged by browsers, proxies, server access logs, analytics tools, and monitoring systems. Even if the endpoint itself works as designed, documenting token transmission this way encourages insecure client implementations and increases the chance of credential leakage and unauthorized API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal