Security audit

Xiaohongshu Creator Marketplace (Pugongying) Follower Distribution API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API wrapper, but it handles the API token in ways that can expose it through command lines and request URLs.

Review before installing if the JustOneAPI token has paid, broad, or shared-account access, especially on shared machines or CI. Prefer a version that reads the token directly from the environment and avoids logging full request URLs; rotate the token if it may already have appeared in logs or process listings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Passing an authentication token as a query parameter is risky because query strings are commonly logged by servers, proxies, client tooling, browser history, and observability systems, which can expose the credential beyond its intended scope. In this skill, the token is required for every request and no warning or safer auth mechanism is defined, increasing the chance of accidental leakage and unauthorized API access if logs or traces are compromised.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.secret_argv_exposure

Instructions pass high-value credentials through process argv.

Critical

Code: suspicious.secret_argv_exposure
Location: SKILL.md:42