Xiaohongshu Creator Marketplace (Pugongying) Creator Profile API

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform its stated API lookup, but it handles the JustOneAPI token in ways that can expose the credential through command-line arguments and request URLs.

Review before installing if you will use a real JustOneAPI token. Use a restricted and revocable token if possible, avoid shared machines or verbose process/request logging, and rotate the token if shell history, process monitoring, proxy logs, or API logs may have captured it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documentation requires a user authentication token in a query parameter but gives no warning about secure handling, which increases the chance that downstream agents or users will log, expose, or mishandle credentials. Query parameters are especially sensitive because they are often captured in logs, analytics, browser history, and intermediary systems, making accidental token disclosure more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal