ClawHub

WeChat Official Accounts Article Engagement Metrics API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper, but it handles the required API token in ways that can expose it unnecessarily.

Install only if you trust JustOneAPI and are comfortable with the token being passed on the command line and sent as a URL query parameter. Prefer a revised version that reads the token from a protected secret source and uses header-based authentication if the upstream API supports it; rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the API token as a query parameter and later appends all query parameters directly into the request URL. Query-string credentials are commonly exposed through logs, proxy histories, browser/tooling output, monitoring systems, and error telemetry, so the token can leak beyond the intended recipient. In this skill context, the risk is heightened because this is a generic API wrapper that may be run in automated environments where full URLs are routinely logged.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest requires an access token to be sent as a query parameter, which is unsafe because query strings are commonly logged by clients, proxies, CDNs, analytics systems, and server access logs. This increases the chance of credential leakage and unauthorized reuse of the token, especially since the skill provides no warning or safer authentication mechanism.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for the API.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
97% confidence
Finding
Access token

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal