Back to skill

Security audit

Kuaishou Share Link Resolution API

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it should be reviewed because it sends the API token as a URL query parameter.

Install only if you are comfortable using a revocable JustOneAPI token with this wrapper. Prefer a version that sends credentials in an Authorization or API-key header, and rotate the token if it may have appeared in URLs, logs, telemetry, or shared error output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the access token as a query parameter and later appends all query parameters directly into the request URL. Query-string credentials are commonly exposed via logs, proxies, browser/history tooling, monitoring systems, and error messages, making accidental credential disclosure significantly more likely than if the token were sent in an Authorization header.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.