ClawHub

Xiaohongshu Creator Marketplace (Pugongying) Creator Note List API

Security checks across malware telemetry and agentic risk

Overview

The skill appears to call the advertised JustOneAPI endpoint, but it handles the API token in ways that can expose it on the local machine or in URL logs.

Review before installing on shared, monitored, or production systems. Use a restricted JustOneAPI token if available, avoid logging commands or URLs, and prefer modifying the helper to read the token from an environment variable or stdin and to use an Authorization header if the provider supports it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires an authentication token as a query parameter and then appends all query parameters directly to the URL before issuing the request. Query-string tokens are commonly exposed via logs, browser/history systems, proxy infrastructure, monitoring tools, and error telemetry, making accidental credential disclosure more likely than if the token were sent in an Authorization header or request body.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs clients to pass a user authentication token as a query parameter without any warning about secure handling. Query parameters are commonly exposed in logs, browser history, monitoring tools, referrer headers, and intermediaries, so encouraging token transmission this way increases the chance of credential leakage and unauthorized API access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal