ClawHub

Kuaishou Video Comments API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow API helper for fetching public Kuaishou video comments, with the main caution that its JustOneAPI token is sent in the URL query string.

Install only if you trust JustOneAPI with the token and the Kuaishou video IDs you query. Use a scoped or disposable token where possible, avoid sharing command output or logs that could contain request URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends the API access token in the URL query string (`token`), which is commonly logged by client tooling, proxies, browser history, server access logs, and monitoring systems. Even though the base URL uses HTTPS, query parameters are still widely exposed in operational logs, making credential leakage more likely than if the token were sent in an authorization header.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documentation requires a `token` query parameter but does not warn that this credential is sent to an external API service, which can lead users or downstream agents to disclose sensitive tokens without informed consent. While this is a documentation and transparency issue rather than an exploit by itself, it increases the risk of accidental credential exposure, especially in agentic workflows that automatically invoke third-party endpoints.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
97% confidence
Finding
Access token

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal