Back to skill

Security audit

Kuaishou Video Details API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI helper for one Kuaishou video-details endpoint, with the main caution that its API token is sent in the URL query string.

Install only if you trust JustOneAPI with your API token and the requested Kuaishou video lookup. Avoid sharing command output, errors, proxy logs, or diagnostic traces that might include the request URL, because the token is sent as a URL query parameter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends the API access token as a URL query parameter (`token`), which is commonly exposed in logs, browser history, intermediary proxies, monitoring systems, and error messages. In this skill, the token is appended directly to the request URL, making accidental credential leakage materially more likely even though the transport uses HTTPS.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest requires a token and sends it to an external third-party API, but it does not clearly warn consumers that authentication material is being transmitted off-platform. This can lead to unsafe operator assumptions, accidental credential disclosure, or use in contexts where users did not intend their token to be sent to JustOneAPI.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.