ClawHub

YOUKU API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward YOUKU lookup skill for JustOneAPI, with a real credential-handling caution but no evidence of hidden or malicious behavior.

Install only if you trust JustOneAPI with your YOUKU lookup inputs and JUST_ONE_API_TOKEN. Prefer a limited or dedicated token if available, avoid confidential search terms or identifiers, and rotate the token if it may have appeared in command output, logs, or shared diagnostics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends the API token as a query parameter, which is then appended to the URL. Query-string secrets are commonly exposed through logs, proxies, browser/history tooling, monitoring systems, and error messages, so the token can leak even when HTTPS is used. In this skill, the token is required for every operation, which increases exposure across all requests.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API requires a sensitive token to be sent as a query parameter to an external service, but the skill metadata and operation descriptions do not warn users that their credential will be transmitted off-platform. Query parameters are commonly logged by clients, proxies, gateways, browser history, and server access logs, which increases the chance of accidental credential disclosure beyond the intended recipient.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly specifies a required `token` in the query string for multiple GET endpoints, which encourages sending authentication credentials in URLs. Query parameters are commonly logged by servers, proxies, browser history, observability tools, and referrer headers, increasing the chance of credential disclosure and unauthorized API access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal