Weibo User Profile API

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised Weibo profile lookup, but it handles the JustOneAPI token in ways that can expose it through command arguments and request URLs.

Install only if you are comfortable sending the requested Weibo uid and your JustOneAPI token to JustOneAPI. Prefer a version that reads the token directly from a protected environment or secret store and avoids placing credentials in command arguments or URL query strings. Avoid using this on shared systems or in environments that log full process arguments or request URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The manifest requires an API access token to be sent as a query parameter to an external service, but it provides no user-facing disclosure about credential handling or transmission. Query parameters are commonly logged by clients, proxies, and servers, which increases the risk of token leakage and unauthorized reuse if exposed.

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "API access token.", "enumValues": [], "location": "query", "name": "token",
Confidence: 94% confidence
Finding: access token

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal