Xiaohongshu Creator Marketplace (Pugongying) Data Summary API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI data lookup wrapper, but it handles the API token in ways that can expose it locally or in request URLs.

Review before installing. The API behavior is narrow and disclosed, but use a token with limited scope if possible and avoid running this where other local users or diagnostics can capture process arguments or request URLs. A safer version would read the token directly from secure environment handling and clearly warn about query-string credential exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation explicitly requires a user authentication token in a query parameter but provides no warning about secure handling, storage, logging, or sharing of that credential. Query-string tokens are especially risky because they are commonly exposed in browser history, intermediary logs, analytics systems, and monitoring tools, which can lead to credential leakage and unauthorized API access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal