Douyin E-commerce API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Douyin e-commerce item-detail API wrapper, with a disclosed but weaker token-handling pattern.

Install only if you trust JustOneAPI and are comfortable providing JUST_ONE_API_TOKEN for Douyin item-detail lookups. Because the token is sent in the request URL, avoid verbose proxy or HTTP logging, do not share error logs containing full URLs, and rotate the token if you suspect request URLs were exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill defines the API access token as a query parameter and later appends all query parameters directly into the URL. Query-string credentials are commonly exposed through logs, browser/history artifacts, proxy caches, monitoring systems, and upstream error telemetry, making accidental credential disclosure significantly more likely than if the token were sent in an Authorization header.

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "Access token for this API service.", "enumValues": [], "location": "query", "name": "token",
Confidence: 98% confidence
Finding: Access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal