ClawHub

Xiaohongshu Creator Marketplace (Pugongying) Note Performance Metrics API

Security checks across malware telemetry and agentic risk

Overview

This is a focused read-only API wrapper, but users should handle the JustOneAPI token carefully because it is sent in the command line and URL query string.

Install only if you trust JustOneAPI and can protect the token. Prefer a scoped or revocable token if available, avoid logging full request URLs or command lines, and rotate the token if it may have appeared in shell history, process telemetry, screenshots, or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly models the authentication token as a query parameter and injects it into the URL before issuing the request. Query-string secrets are commonly exposed through logs, proxies, browser/history tooling, monitoring systems, and error traces, so this increases the chance of credential disclosure even though the request uses HTTPS.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but gives no warning about secure handling, storage, redaction, or logging risks. Query-string credentials are commonly exposed through logs, analytics, browser history, proxy traces, and referrer leakage, which can enable unauthorized access to the user's Xiaohongshu-related data if the token is captured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal