Security audit

Xiaohongshu Creator Marketplace (Pugongying) Creator Search API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API wrapper, but it uses a JustOneAPI token in ways that can expose it through command lines and request URLs.

Review before installing if the JustOneAPI token has meaningful account access. Use only on trusted machines, avoid logging commands or full request URLs, prefer a token with limited scope and lifetime, and rotate the token if command output, shell history, process listings, or request logs may have exposed it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill injects the authentication token into a query parameter and then sends it as part of the request URL. Query-string secrets are routinely exposed through logs, browser/history equivalents, proxy infrastructure, monitoring systems, and upstream service diagnostics, making credential leakage more likely than if the token were sent in an Authorization header or request body. In this skill’s context, the token is required for every call, so the insecure handling is systematic rather than incidental.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The API requires a user authentication token to be sent as a query parameter, which is less safe than using an Authorization header because query strings are commonly logged by clients, proxies, servers, analytics tools, and monitoring systems. In a third-party API integration context, the absence of an explicit warning or safer auth scheme increases the risk of credential leakage and downstream account compromise.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The operation documentation requires a `token` in the query string but does not warn that query parameters are commonly logged by clients, proxies, gateways, browser history, and server access logs. Exposing authentication credentials this way increases the chance of credential leakage and unauthorized API access, especially because this skill is an API wrapper likely to be used by automated agents that may surface or persist full URLs.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.secret_argv_exposure

Instructions pass high-value credentials through process argv.

Critical

Code: suspicious.secret_argv_exposure
Location: SKILL.md:53