IMDb Chart Rankings API

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused IMDb rankings API helper with one credential-handling caution: its token is sent to JustOneAPI in the URL query string.

Install only if you trust JustOneAPI with this token. Use a scoped or revocable token if available, avoid sharing logs or screenshots that could include full request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill sends the authentication token as a query parameter, which is commonly recorded in URLs by logs, proxies, browser history, analytics systems, and monitoring tools. Even though the base URL uses HTTPS, placing secrets in the URL materially increases the chance of credential exposure compared with using an Authorization header or other non-URL secret transport.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Passing an authentication token in a query parameter is dangerous because query strings are commonly logged by servers, proxies, analytics tools, browser history, and monitoring systems, which can expose credentials beyond their intended destination. The risk is somewhat limited by the use of HTTPS and the skill’s read-only IMDb ranking purpose, but credential leakage could still allow unauthorized use of the external API account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal