ClawHub

IMDb API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward IMDb lookup skill for JustOneAPI, with a credential-handling caveat but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending IMDb lookup terms, IMDb IDs, filters, and your JustOneAPI token to JustOneAPI. Treat the token as sensitive and preferably use a revocable or low-scope token because it is sent in the request URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest description materially understates the skill’s actual scope, mentioning only a few IMDb capabilities while the OpenAPI spec exposes many additional operations such as search, news, reviews, rankings, and contribution-related endpoints. This can mislead users and reviewers about what data the skill can access and transmit, weakening informed consent and trust boundaries even though it is not direct code execution.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill instructs the agent to send user-supplied parameters to an authenticated third-party API, but it does not tell the user that their inputs will be transmitted off-platform. This creates a privacy and consent issue, especially if users provide identifiers or other sensitive query values assuming local processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The authentication token is defined and transmitted as a query parameter, which risks exposure through logs, browser/history equivalents, upstream proxies, analytics systems, and server access logs. Even over HTTPS, query strings are commonly captured by infrastructure components, making credential leakage more likely than with an Authorization header.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing the authentication token in the query string is dangerous because query parameters are commonly recorded in logs, browser history, intermediary proxies, analytics systems, and error traces. The absence of prominent disclosure increases the chance that users will provide secrets without understanding that they may be exposed beyond the intended recipient.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation requires a user authentication token in query parameters for external API calls without clearly warning that the token will be transmitted to a third-party service. This creates a real risk of inadvertent secret disclosure, especially because query parameters are commonly logged by clients, proxies, gateways, and server access logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal