ClawHub

Kuaishou User Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for searching Kuaishou users, with a real but disclosed credential-handling caveat.

Install only if you trust JustOneAPI and are comfortable sending a Kuaishou search API token to its service. Keep the token scoped and revocable, avoid pasting it into prompts or logs, and be aware this implementation places the token in the request URL query string.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends the API access token as a URL query parameter, which is commonly exposed through logs, browser history, proxy records, monitoring systems, and upstream infrastructure. Even though the request uses HTTPS, query-string secrets are more broadly propagated than headers and there is no warning to users that their credential will be transmitted this way.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires an access token to be sent in the URL query string, which is commonly logged by clients, servers, proxies, browser history, and observability tooling. Even over HTTPS, query parameters are more broadly exposed than headers, so this increases the chance of credential leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API requires a sensitive `token` in the query string, and the documentation does not warn that query parameters are commonly exposed via logs, browser history, proxies, analytics, and monitoring systems. This increases the likelihood of credential leakage and subsequent unauthorized API use if integrators follow the spec as written.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal