Xiaohongshu Creator Marketplace (Pugongying) Note Performance Metrics API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow API wrapper for one JustOneAPI Xiaohongshu metrics endpoint, with disclosed but imperfect credential handling.

Install only if you trust JustOneAPI with your API token and queried Xiaohongshu user IDs. Prefer scoped or short-lived tokens where available, avoid shared machines, and treat command histories, process listings, logs, screenshots, and error output as potentially sensitive while using this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the authentication token as a query parameter and later appends all query parameters directly to the URL. Tokens in URLs are commonly exposed through logs, browser history, proxy/CDN logs, monitoring tools, referrer leakage, and error reporting, making credential disclosure more likely than if the token were sent in an Authorization header. The skill context increases risk because this is an API integration handling real user authentication data, and the code provides no warning or safer alternative.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal