IMDb Release Expectation API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI IMDb lookup helper, with the main caution that its API token is placed in the request URL query string.

Install only if you are comfortable using a JustOneAPI token with this IMDb endpoint. Prefer a scoped or disposable token if available, avoid environments that log full URLs, keep the token out of chat and screenshots, and rotate it if you suspect command history, proxy logs, or monitoring captured it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill defines the authentication token as a query parameter and later injects it into the request URL. Query-string credentials are commonly exposed through logs, browser/history tooling, monitoring systems, proxies, and error reporting, so this creates unnecessary credential leakage risk even when HTTPS is used.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The request builder serializes all query parameters directly into the outbound URL, which includes the required token credential for this operation. Because the credential is transmitted in the URL rather than a header, it may be captured by infrastructure logs or telemetry and can be disclosed beyond the intended recipient; the skill also provides no warning that sensitive input will be sent this way.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal