Security audit

Social Media Cross-Platform Search API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward JustOneAPI search connector, with the main risk being that your token and searches are sent to the declared API service.

Install only if you trust JustOneAPI with your search terms and account token. Prefer a scoped or easily rotated token, avoid sensitive private searches unless that sharing is acceptable, and be aware that query-string tokens may appear in service, proxy, or monitoring logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill sends the API access token in the URL query string via applyQueryParams, which exposes the secret in places URLs commonly get recorded: shell history, process arguments, proxy/server logs, browser tooling, and monitoring systems. Even though the request uses HTTPS, query-string secrets are still more broadly observable and persist longer than header-based credentials.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill definition explicitly transmits an access token and user-provided search terms to a third-party API, but provides no user-facing warning about credential handling, external data transfer, or privacy implications. This can lead to unintentional disclosure of sensitive tokens or sensitive investigative/search content to an external service without informed user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal