ClawHub

Kuaishou Video Search API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for Kuaishou video search, with a real but disclosed credential-handling hygiene risk.

Install only if you trust JustOneAPI and are comfortable sending Kuaishou search keywords and a JUST_ONE_API_TOKEN to that service. Use a dedicated or low-privilege token if available, avoid sharing logs or full request URLs, and rotate the token if you stop using the skill or suspect exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends the API access token as a query parameter, which is commonly exposed in logs, browser/history artifacts, proxy caches, monitoring systems, and upstream infrastructure. Even though the request uses HTTPS, placing credentials in the URL increases the chance of accidental disclosure compared with using an Authorization header or other secret-bearing header.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The operation documentation does not warn that user-provided search keywords and the service access token are transmitted to an external API. In an agent setting, this can cause unanticipated disclosure of potentially sensitive user intent or internal credentials, especially if the agent uses the tool without clearly informing the user.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
88% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal