ClawHub

Xiaohongshu Creator Marketplace (Pugongying) Creator Profile API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API helper for one JustOneAPI creator-profile lookup, with credential-handling cautions but no hidden or unrelated behavior found.

Install only if you trust JustOneAPI with these creator-profile lookups. Treat JUST_ONE_API_TOKEN as sensitive: avoid sharing command output, screenshots, logs, or process listings while requests run, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the authentication token as a query parameter and later appends all query parameters directly to the URL. Query-string tokens are commonly exposed through logs, browser history, proxy/CDN access logs, monitoring systems, referrer leakage, and error telemetry, increasing the chance of credential disclosure even when HTTPS is used. In this skill's context, the token is required for an external API call, so the design makes accidental secret exposure more likely during normal operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but provides no warning about secure handling, logging, storage, or privacy implications. Query parameters are commonly exposed in logs, browser history, analytics, caches, and intermediary systems, so documenting token use this way without safeguards can lead to credential leakage and unauthorized access.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal