Instagram Reels Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Instagram Reels search wrapper for JustOneAPI, with the main caution that the API token is sent as a URL query parameter.

Install only if you trust JustOneAPI and are comfortable sending both your search keywords and JUST_ONE_API_TOKEN to api.justoneapi.com. Treat the token as sensitive, avoid sharing command output or full request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly defines the API access token as a query parameter and later appends all query parameters directly into the request URL. Query-string credentials are commonly exposed through logs, browser history, proxy/CDN access logs, analytics, crash reports, and error messages, making unintended disclosure more likely than if the token were sent in an Authorization header.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill requires an access token to be sent as a query parameter, but there is no user-facing warning that a secret will be transmitted to a third-party service. Query-string credentials are especially risky because they are commonly logged by clients, proxies, gateways, browser history, and observability systems, increasing the chance of credential leakage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal