IMDb Awards Summary API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow IMDb awards lookup helper with a real but disclosed token-handling caution.

Install only if you are comfortable using a JustOneAPI token for this endpoint. Prefer a restricted or short-lived token if available, avoid sharing command lines, logs, screenshots, or error output that may contain request URLs, and rotate the token if you think it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill sends the authentication token as a query parameter and injects it into the request URL, which can expose the token through logs, browser/history equivalents, proxy logs, observability systems, referrer leakage, and error messages. In this skill context, the issue is more dangerous because the code is a generic API wrapper and may be run in automation environments where full URLs are routinely captured for debugging and monitoring.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The API requires an authentication token in the query string, which is commonly exposed through browser history, intermediary logs, analytics tooling, reverse proxies, and referrer leakage. Documenting this parameter without warning or recommending a safer authentication mechanism increases the chance that integrators will handle credentials insecurely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal