Taobao and Tmall Product Details API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI connector for Taobao/Tmall product details, but users should treat its API token carefully because it is sent as a URL query parameter.

Install only if you trust JustOneAPI and this publisher. Use a scoped or low-privilege token where possible, avoid sharing command lines or logs containing full request URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly defines the API access token as a query parameter and later appends all query parameters directly into the URL. Secrets in URLs are commonly exposed through logs, browser history, proxy logs, monitoring systems, crash reports, and referrer leakage, so this creates real credential exposure risk even when HTTPS is used.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest requires an access token to be sent as a query parameter, which is commonly logged by browsers, proxies, CDNs, reverse proxies, analytics systems, and server access logs. Even if sent over HTTPS, query-string credentials are more likely to leak through telemetry and operational logs, making credential exposure materially more likely.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation specifies an access token in the URL query string, which is a risky credential-handling pattern because query parameters are commonly captured in browser history, proxy logs, analytics systems, server access logs, and referrer headers. Even though this file is only documentation, it directly encourages insecure API usage and can lead integrators to expose long-lived credentials unintentionally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The repeated endpoint definitions normalize the same insecure pattern across multiple API versions by requiring a sensitive token as a query parameter without any cautionary note. This increases the likelihood that downstream users, logs, monitoring tools, and intermediaries will persist or leak credentials, and the repetition makes the unsafe practice appear intentional and acceptable.

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "Access token for this API service.", "enumValues": [], "location": "query", "name": "token",
Confidence: 91% confidence
Finding: Access token

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "Access token for this API service.", "enumValues": [], "location": "query", "name": "token",
Confidence: 91% confidence
Finding: Access token

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "Access token for this API service.", "enumValues": [], "location": "query", "name": "token",
Confidence: 91% confidence
Finding: Access token

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "Access token for this API service.", "enumValues": [], "location": "query", "name": "token",
Confidence: 91% confidence
Finding: Access token

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "Access token for this API service.", "enumValues": [], "location": "query", "name": "token",
Confidence: 91% confidence
Finding: Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal