Security audit

IMDb Details API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward JustOneAPI IMDb lookup helper, with the main caution that its API token is sent in the request URL.

Install only if you trust JustOneAPI with the lookup requests and token. Use a token you can rotate, avoid sharing command lines or logs that may include request URLs, and rotate the token if you think URLs may have been captured.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly defines the authentication token as a query parameter and later appends all query parameters directly to the request URL. Tokens in URLs are commonly exposed through logs, browser/history artifacts, proxies, monitoring systems, and upstream services, making credential leakage more likely even when HTTPS is used. In this skill context, the risk is real because the token is required for every request and there is no warning or safer alternative mechanism.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Passing an authentication token in the query string is dangerous because query parameters are commonly logged by servers, proxies, gateways, browser history, and observability tooling. This can expose credentials unintentionally and enable unauthorized API access if logs or URLs are later disclosed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.