ClawHub

Taobao and Tmall API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Taobao/Tmall API wrapper, but its API token is sent in URL query parameters, so users should treat logs and request URLs as sensitive.

Install only if you trust JustOneAPI and are comfortable with the token being included in request URLs. Use a token scoped to this service, avoid sharing logs or error traces that may contain full URLs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends the API access token in the URL query string, which is commonly logged by proxies, servers, browser history, monitoring systems, and error tooling. Because this skill is an API wrapper handling credentials, placing secrets in the URL materially increases the chance of credential leakage even though the destination uses HTTPS.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manifest requires an access token to be transmitted as a query parameter to an external API, but provides no warning or safer authentication pattern. Query-string credentials are commonly exposed in logs, browser history, proxies, monitoring systems, and referrer-like telemetry, increasing the chance of token leakage and downstream account or API abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs callers to supply an access token as a query parameter but provides no warning about credential handling. Query-string secrets are commonly exposed through logs, browser history, analytics, referrers, and intermediary systems, so this can lead to token leakage and unauthorized API use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal