ClawHub

Xiaohongshu Creator Marketplace (Pugongying) Follower Distribution API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow API wrapper, but it handles the required API token in ways that can expose it through command-line arguments and URL query strings.

Install only if you are comfortable giving this skill a JustOneAPI token for this endpoint. Avoid running it on shared machines or in logging-heavy automation, and prefer a revised version that reads the token directly from a protected environment variable or secret store and avoids query-string authentication if the upstream API supports headers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires the authentication token to be sent as a URL query parameter, which is unsafe because query strings are commonly logged by clients, proxies, CDNs, observability systems, browser history, and server access logs. Even though the request uses HTTPS, the token can still be exposed through these secondary channels, enabling unauthorized reuse of the credential.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but gives no guidance on secure handling, storage, or redaction of that credential. Tokens placed in URLs are commonly exposed through logs, browser history, proxies, and analytics systems, so missing security warnings increases the chance that integrators will handle the credential insecurely.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal