ClawHub

JD.com API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JD.com lookup skill that calls JustOneAPI with a user-provided API token, with a credential-handling weakness users should understand.

Install only if you trust JustOneAPI with this token. Prefer a scoped or low-privilege token if available, rotate it periodically, and avoid running the helper in environments where command lines, full URLs, proxy logs, or error traces are visible to others.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code appends the required API token to the URL query string for every request. Query-string credentials are commonly exposed via logs, browser/history tooling, proxies, APM traces, and upstream server access logs, so this unnecessarily increases the chance of credential leakage even though the transport uses HTTPS.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
97% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
97% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
97% confidence
Finding
Access token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal