ClawHub

IMDb Countries of Origin API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow IMDb metadata lookup skill, with the main caveat that its API token is sent in the request URL.

Install only if you trust JustOneAPI with the IMDb lookup request and token. Use a low-scope token if available, avoid logging full request URLs, rotate the token if it may have appeared in logs, and override languageCountry when you need non-US localized results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the authentication token as a query parameter and later appends all query parameters directly into the request URL. Query-string tokens are commonly exposed through logs, browser/history equivalents, intermediary proxies, monitoring systems, and error messages, making accidental credential disclosure more likely than if the token were sent in an Authorization header. In this skill context, the risk is somewhat elevated because the code is a generic API wrapper and may be run in automated agent environments where URLs are frequently logged for debugging and tracing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API requires an authentication token in the query string, which is commonly logged by clients, proxies, gateways, browser history, and monitoring systems. Even though the endpoint appears to retrieve low-risk IMDb metadata, leakage of the token could allow unauthorized reuse against the provider's broader API surface or consume the user's quota.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal