Security audit

Kuaishou User Profile API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow read-only API wrapper for fetching Kuaishou profile data through JustOneAPI, with credential and privacy cautions but no hidden or destructive behavior.

Install only if you trust JustOneAPI and have a legitimate reason to fetch Kuaishou profile details. Store JUST_ONE_API_TOKEN locally, do not paste it into chat, and be aware that this API sends the token and userId in the URL query string, so full request URLs should be redacted from logs, screenshots, and support tickets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill retrieves profile, audience, and verification-related data about a Kuaishou user but does not warn users that the request may involve privacy-sensitive personal or quasi-personal data. This increases the risk of misuse, uninformed collection, or inappropriate sharing of creator intelligence data, especially in workflows where operators may assume the lookup is low-risk metadata.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill defines the API access token as a query parameter and later appends all query parameters directly into the URL. Query-string credentials are commonly exposed through logs, browser/history tooling, proxy and CDN logs, monitoring systems, and error reports, making accidental credential disclosure significantly more likely even when HTTPS is used.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The operation requires both an access token and a persistent user identifier in query parameters, but the documentation does not warn that these are sensitive values that may be exposed via logs, browser history, proxy telemetry, analytics tooling, or referrer leakage. In a profile-enrichment skill that transmits third-party account data, that omission increases the chance that integrators will handle credentials and identifiers insecurely and unintentionally disclose them.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.