Xiaohongshu Creator Marketplace (Pugongying) Creator Core Metrics API

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised API lookup, but its token handling could expose the API token through command-line/process visibility and URL logging.

Install only if you are comfortable using a JustOneAPI token with this helper. Run it only on a trusted machine, avoid shared shells and command logging, and rotate the token if it may have appeared in logs or process monitoring. A safer version would read the token directly from the environment and avoid putting credentials in URLs when the upstream API allows it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation requires a `token` query parameter for authentication but provides no warning about secure handling, storage, redaction, or logging risks. Query-string credentials are especially sensitive because they are commonly exposed in browser history, server logs, proxies, analytics tools, and error traces, which increases the chance of credential leakage during normal use of the skill.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal