Weibo Post Comments API

Security checks across malware telemetry and agentic risk

Overview

The skill only calls the advertised Weibo comments API, but it passes the JustOneAPI token in places that can expose it unnecessarily.

Install only if you trust JustOneAPI and are comfortable sending a JustOneAPI token to api.justoneapi.com as a URL query parameter. Use a limited-scope token if available, avoid sharing command logs or full request URLs, and rotate the token if it may have appeared in logs or telemetry.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill defines the API token as a query parameter and automatically injects it into the request URL. Query-string credentials are commonly exposed through logs, browser/history tooling, upstream proxies, monitoring systems, and error traces, making accidental credential disclosure more likely even when HTTPS is used.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal