Back to skill

Security audit

Weibo Hot - 微博热搜榜

Security checks across malware telemetry and agentic risk

Overview

This is a simple Weibo trending-search lookup that uses a TianAPI key; the main risk is ordinary API-key handling, not hidden malicious behavior.

Install only if you are comfortable using a TianAPI account key for this skill. Prefer setting TIANAPI_WEIBO_HOT_KEY as an environment variable, avoid putting the key in screenshots or source control, and rotate the key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to provide an API key and to call a third-party endpoint, but it does not clearly warn that the key is transmitted to TianAPI on every request. This can lead users to expose credentials to an external service without informed consent, increasing the risk of credential misuse, logging exposure, or accidental sharing.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The API key is placed in the URL query string, which can be logged by intermediaries such as proxies, client logs, server access logs, browser/history equivalents, or monitoring systems. Even though HTTPS protects the transport contents from passive network observers, query-string credentials still increase accidental credential exposure risk.

Credential Access

High
Category
Privilege Escalation
Content
# 方式一:环境变量(推荐,一次配置永久生效)
    export TIANAPI_WEIBO_HOT_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_WEIBO_HOT_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
export TIANAPI_WEIBO_HOT_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_WEIBO_HOT_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
    python3 scripts/fetch_weibo_hot.py 你的APIKey
Confidence
90% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.