ClawHub

Taobao and Tmall Shop Product List API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for Taobao/Tmall shop product-list lookups, but its API token is sent in the request URL query string.

Install only if you trust JustOneAPI with the token and shop/user identifiers you provide. Prefer a scoped token if available, avoid sharing command lines or logs that may contain the token, and rotate the token if it may have been exposed. Header-based authentication would be safer in a future version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the required access token as a query parameter, and later appends all query parameters directly into the request URL. Query-string credentials are prone to leakage via logs, browser/history tooling, proxy and CDN logs, error telemetry, and upstream observability systems even when HTTPS is used. In this CLI context, the risk is heightened because users may also pass the token on the command line, exposing it to shell history and process inspection in addition to URL leakage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API requires a sensitive access token to be sent as a query parameter, which is commonly logged by clients, proxies, gateways, browser history, and monitoring systems. Even though the base URL uses HTTPS, placing credentials in the URL materially increases exposure compared with using an Authorization header or other secret-safe mechanism.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation specifies an access token as a required query parameter, which commonly causes credentials to be exposed in browser history, intermediary logs, analytics systems, referrer headers, and server access logs. Even though this is documentation rather than executable code, it encourages an insecure integration pattern that can lead to token leakage and unauthorized API use.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill description and operation docs indicate that userId/shopId and catalog data are sent to an external API service, but they do not disclose this data-sharing behavior or provide a privacy warning. In this context the data appears business-oriented rather than highly sensitive, which lowers severity, but the omission can still mislead users about where identifiers and shop-related data are transmitted.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
95% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
95% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
95% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal