ClawHub

Weibo Search User Published Posts API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow Weibo API wrapper, but it handles a real JustOneAPI token in ways that could expose it in command arguments and request URLs.

Review before installing if you will use a real JustOneAPI token. The skill appears narrow and non-destructive, but use it only in a trusted environment, avoid shared shells or command logging, and prefer a version that reads the token from a secret store or environment internally and avoids putting credentials in URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the API token as a query parameter and later appends all query parameters to the request URL, so the credential will be transmitted in the URL. URLs are commonly logged by clients, proxies, servers, browser history, and monitoring systems, which increases the chance of token disclosure even when HTTPS is used. In this skill context, the issue is more dangerous because the tool is explicitly designed to handle an API access token for a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API token is defined as a required query parameter, which increases the risk of credential exposure through browser history, server logs, analytics systems, proxies, and referrer leakage. In this skill context, the token is a real authentication secret for a third-party API, so exposing it could allow unauthorized use of the connected service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The operation documentation requires an API access token in a query parameter but provides no warning about secure credential handling. Query-string tokens are commonly exposed in logs, browser history, analytics, proxies, and referrer headers, which increases the risk of credential leakage and unauthorized API use.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "API access token.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
81% confidence
Finding
access token

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal