Toutiao API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Toutiao API wrapper, with the main caveat that its JustOneAPI token is sent in the request URL.

Install only if you trust JustOneAPI and are comfortable with the token being included in API request URLs. Use a limited-scope or easily rotated token where possible, and avoid sharing logs, screenshots, or command output that may contain full request URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The API authentication token is explicitly modeled as a query parameter and later appended into the request URL, which causes the secret to appear in URLs, logs, browser history, proxies, and upstream telemetry. Even though the destination uses HTTPS, query-string secrets are routinely exposed through server/access logs and observability systems, making credential leakage more likely than if the token were sent in an Authorization header.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal