Douyin (TikTok China) User Published Videos API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow, legitimate-looking JustOneAPI helper, but it sends the API token in the request URL, which warrants user review.

Install only if you are comfortable sending a JustOneAPI token to api.justoneapi.com as part of the request URL. Use a narrowly scoped or disposable token if available, avoid environments that log full URLs or process arguments, and rotate the token if you suspect it may have been captured.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends the API token as a URL query parameter via applyQueryParams, which exposes the credential in places URLs commonly appear: logs, browser/history-equivalents, proxy layers, monitoring systems, and error traces. Even though the request uses HTTPS, query-string secrets are more widely propagated than header-based secrets and can be inadvertently disclosed to operators or downstream infrastructure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal