JD.com Product Details API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JD.com product lookup skill, with the main caveat that its API token is sent in the URL because the vendor endpoint requires it.

Use a scoped, revocable JustOneAPI token and avoid running this skill where full URLs may be captured in shared logs, shell history, monitoring, or screenshots. Treat request URLs as sensitive because the vendor API uses token-in-query authentication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends the API token in the URL query string, which is routinely exposed through logs, browser/history artifacts, reverse proxies, observability tooling, and upstream services. Although the request uses HTTPS, query parameters are still more broadly recorded than headers, so the token can be unintentionally disclosed and reused.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal