ClawHub

Kuaishou API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Kuaishou API lookup skill, with the main caution that its JustOneAPI token is passed in request URLs.

Install only if you trust JustOneAPI with your Kuaishou lookup requests and API token. Use a scoped, revocable token where possible, avoid logging full request URLs, and handle returned profile/comment data according to platform terms and applicable privacy expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API token is defined and later transmitted as a URL query parameter, which is commonly exposed in logs, browser history, proxy records, analytics, and error telemetry. Even though the transport uses HTTPS, placing credentials in the URL increases accidental disclosure risk across multiple infrastructure layers.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API requires an access token in the query string, which is more likely to be exposed through logs, browser history, intermediary systems, analytics tooling, referrer leakage, and debugging output than a header-based secret. In a skill context, this is especially risky because the same credential pattern is repeated across all operations, increasing the chance of accidental disclosure whenever the skill is invoked.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill documents use of an access token and collection of user profile data without any privacy, consent, retention, or handling guidance. In a social-media analytics context, this can normalize collection of potentially sensitive account metadata and audience information without warning, increasing the risk of misuse, overcollection, or policy violations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This endpoint explicitly enables retrieval of public comment content, author information, and engagement data, but the documentation provides no warning about privacy-sensitive aggregation or downstream profiling. Even if comments are public, bulk collection and analysis can materially increase privacy risk, especially in a creator-monitoring or sentiment-analysis workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal