Security audit

IMDb Redux Overview API

Security checks across malware telemetry and agentic risk

Overview

This is a focused IMDb lookup skill that calls the declared JustOneAPI endpoint, with a token-handling caution but no hidden or unrelated behavior.

Install only if you trust JustOneAPI. Use a scoped or low-privilege token if available, avoid sharing command output, URLs, or network logs from this helper, and rotate the token if you think a request URL may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends the authentication token as a query parameter, causing it to be embedded in the full request URL. URLs are commonly logged by client tooling, proxies, gateways, browser/history equivalents, and backend access logs, so the token may be exposed beyond the intended recipient even when HTTPS is used. In this skill context, the risk is real because the code is a generic API wrapper and provides no warning, masking, or safer alternative for secret handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.