Scan Report
0 /100
IMDb
Analyze IMDb workflows with JustOneAPI, including release Expectation, extended Details, and top Cast and Crew across 19 operations.
A straightforward IMDb data API wrapper with no malicious behavior, obfuscation, credential exfiltration, or undeclared capabilities.
Safe to install
This skill is safe to use. It makes only GET requests to api.justoneapi.com, uses only Node.js built-ins, and passes the user token exclusively to the declared API endpoint as a query parameter.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | bin/run.mjs: fetches GET https://api.justoneapi.com/* (all 19 operations) |
| Shell | WRITE | NONE | ✓ Aligned | SKILL.md invokes Bash, but bin/run.mjs contains no subprocess/spawn/exec; it onl… |
1 findings
Medium External URL 外部 URL
https://api.justoneapi.com SKILL.md:5 File Tree
4 files · 104.1 KB · 3251 lines JavaScript 1f · 1333L
JSON 1f · 1131L
Markdown 2f · 787L
├─
▾
bin
│ └─
run.mjs
JavaScript
├─
▾
generated
│ ├─
operations.json
JSON
│ └─
operations.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Uses only Node.js built-in modules (fetch, JSON, process) — no external dependencies or supply chain risk
✓ Token is used only as a query parameter sent to the declared API base URL; no credential exfiltration
✓ No base64, eval, dynamic code generation, or obfuscation
✓ No file system, clipboard, database, or browser access
✓ All 19 operations are GET-only requests; no POST/PUT/DELETE with user-controlled bodies
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No curl|bash, wget|sh, or remote script execution
✓ No hidden HTML instructions or shadow functionality
✓ Manifest is hardcoded inline — not fetched from an external URL