ClawHub

Zhihu API

Security checks across malware telemetry and agentic risk

Overview

This skill provides disclosed, read-only Zhihu API access through JustOneAPI, with a credential-handling caveat around tokens in URL query parameters.

Install only if you trust JustOneAPI with your API token and Zhihu searches. Use a revocable or limited token where possible, avoid sharing request URLs or logs, and do not paste the token into chats, screenshots, or bug reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires an authentication token and sends it as a URL query parameter to a third-party API. Query-string secrets are commonly exposed through logs, proxies, browser/history tooling, monitoring systems, and error reporting, so the token can be unintentionally disclosed even when HTTPS is used.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents an authentication token as a required query parameter, which encourages sending credentials in the URL. Query parameters are commonly exposed through logs, browser history, analytics, referrer headers, and intermediary infrastructure, so this creates a real credential-leakage risk even if the backend accepts it by design. In this skill context, the danger is somewhat increased because it is an API integration doc that may be copied directly into agent/tooling implementations without any warning about safe token handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal