ClawHub
Back to skill

Security audit

Weibo TV Video Details API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI lookup skill, but it should be reviewed because it exposes a reusable API token through command-line arguments and URL query parameters.

Review before installing. Use only a scoped, rotatable JustOneAPI token, avoid logging command invocations, and prefer a version that reads the token internally from the environment and sends it through a header or other safer authentication mechanism rather than the URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the API access token as a query parameter and later appends all query parameters directly into the request URL. Query-string tokens are commonly exposed through logs, browser/history artifacts, intermediary proxies, monitoring tools, and error messages, which increases the chance of credential leakage even when HTTPS is used. In this skill context, the risk is real because the tool is specifically designed to transmit a live credential on every request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The operation explicitly sends an API token and object identifier to an external third-party endpoint, but the manifest provides no user-facing disclosure or warning about network transmission. This can cause unanticipated credential exposure or data-sharing outside the local agent context, especially if users do not realize their inputs and secrets are being sent to JustOneAPI.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "API access token.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
95% confidence
Finding
access token

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal