ClawHub

JD.com Shop Product List API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal JD.com product-list API skill, but it deserves review because it sends the service access token in the request URL.

Install only if you are comfortable using a JustOneAPI token with this skill. Prefer a revocable, least-privilege token, avoid sharing command output or URLs that may contain the token, and rotate the token if it may have appeared in logs or terminal history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
98% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal