ClawHub

IMDb Base Info API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow IMDb lookup skill, but its JustOneAPI token is sent in the request URL, so users should handle logs and shared URLs carefully.

Install only if you trust JustOneAPI with this token and account usage. Avoid sharing command output, logs, screenshots, or full request URLs that may contain the token, and rotate the token if it appears in logs. Prefer a provider or version that supports header-based authentication if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the authentication token as a query parameter and later appends all query parameters directly into the request URL. Query-string tokens are commonly exposed through logs, browser/history tooling, proxies, monitoring systems, and upstream services, making accidental credential disclosure more likely even over HTTPS. In this skill context, the risk is real because the token is a required credential for a third-party API and the wrapper provides no warning or safer alternative.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Passing an authentication token as a query parameter is risky because query strings are commonly logged by clients, proxies, servers, analytics tools, and browser history. Even though this skill only performs an IMDb metadata lookup, exposure of the token could allow unauthorized reuse against the JustOneAPI account or other permitted API actions tied to that credential.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API requires an authentication token in the query string, which is commonly logged by browsers, reverse proxies, web servers, monitoring tools, and analytics systems. This increases the chance of credential leakage through logs, referer headers, shared URLs, or debugging output, and the skill text provides no warning or safer alternative.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal