IMDb User Reviews Summary API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI IMDb lookup skill with a real but disclosed token-handling caveat.

Install only if you trust JustOneAPI with the token and this IMDb lookup use case. Prefer a scoped or replaceable token if available, avoid sharing request URLs or logs, and rotate the token if you believe a URL containing it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code defines `token` as a required query parameter and later appends all query parameters to the request URL, so the authentication token is sent in the URL. Tokens in URLs can be exposed via logs, browser/history equivalents, proxies, monitoring systems, error messages, and upstream infrastructure, increasing the chance of credential leakage even when HTTPS is used.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The API design requires the authentication token to be sent as a query parameter, which is unsafe because query strings are commonly logged by clients, proxies, gateways, and servers, and may also appear in browser history or monitoring tools. In this skill context, the risk is real but somewhat bounded because the endpoint appears to be a backend API over HTTPS; however, exposing credentials in URLs still materially increases the chance of token leakage and reuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal