JD.com Product Comments API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI wrapper for JD.com product comments, with a real but disclosed credential-handling caution.

Install only if you are comfortable using a JustOneAPI token with this helper. Prefer a limited or easily rotated token, avoid sharing command lines or logs that may contain the token, and rotate the token if you suspect a URL containing it was captured.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill defines the API access token as a query parameter and automatically injects it into the request URL. Query-string credentials are commonly exposed through logs, browser/history artifacts, proxy caches, monitoring systems, and error reports, so the secret may leak beyond the intended recipient. In this skill context, the risk is real because the code is a generic API wrapper and provides no warning or safer alternative for handling the token.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Passing an access token in a query parameter is dangerous because URLs are commonly logged by clients, proxies, gateways, browser history, and monitoring systems. In this skill, the token is explicitly defined as a required query parameter with no warning or safer auth mechanism, increasing the chance of credential leakage during normal operation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal