Toutiao User Profile API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow Toutiao profile lookup, but it handles the API token in ways that can expose it, so it should be reviewed before use.

Install only if you are comfortable using a JustOneAPI token with this helper and sending Toutiao user IDs to JustOneAPI. Avoid shared machines, shell logging, and logging full request URLs; prefer a revised version that reads the token directly from the environment and sends it in a header if the provider supports it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Passing an authentication token in the query string is dangerous because query parameters are commonly logged by servers, proxies, observability tools, browser history, and intermediary infrastructure. This increases the likelihood of credential leakage and unauthorized reuse of the token, especially since the manifest provides no warning or safer handling guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal