ClawHub

Weibo User Video List API

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it handles the required API token in exposure-prone places that users should review before installing.

Install only if you are comfortable sending your JustOneAPI token and requested Weibo UID to api.justoneapi.com. Prefer a revised version that reads the token directly from the environment and avoids putting secrets in command-line arguments or URLs; rotate the token if it may have been used in a logged or shared environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill defines the API access token as a query parameter, which causes the secret to be embedded in the URL. Query-string secrets are commonly exposed via logs, browser/history tooling, reverse proxies, analytics, and error reporting, making accidental credential disclosure more likely even when HTTPS is used.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires an API access token to be sent as a URL query parameter, which is less secure than using an Authorization header. Query parameters are commonly exposed in logs, browser history, proxy caches, analytics systems, and referrer data, increasing the chance of credential leakage even when HTTPS is used.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "API access token.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
88% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal