IMDb Box Office Summary API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow IMDb box-office lookup skill, with a real but limited caution that its API token is sent in the request URL.

Use a dedicated, revocable JustOneAPI token, keep it in an environment variable or secret store, avoid logging full request URLs, and rotate the token if it may have appeared in logs, screenshots, shell history, or error traces.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the authentication token as a query parameter and automatically injects it into the request URL. Query-string tokens are commonly exposed through logs, browser/history tooling, proxy infrastructure, monitoring systems, and error reporting, making credential leakage more likely even when HTTPS is used. In this skill context, the risk is real because the code is a thin API wrapper and every authenticated call will place the secret directly in the URL.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Passing an authentication token in the query string is dangerous because URLs are commonly logged by servers, proxies, analytics systems, browser history, and observability tools. Even when sent over HTTPS, the token may still be exposed through downstream logging or accidental sharing, enabling unauthorized API access if the token is recovered.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal