Douyin (TikTok China) Video Comments API

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused JustOneAPI wrapper for fetching Douyin video comments, with its token use and network call disclosed and aligned to that purpose.

Install only if you trust JustOneAPI with your API token and the Douyin video IDs you query. Keep JUST_ONE_API_TOKEN out of chat, screenshots, shell history, and logs where possible, and rotate the token if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill defines the API access token as a query parameter, which is commonly exposed in logs, browser history, analytics systems, intermediary proxies, and error traces. Even though this is an interface definition rather than executable code, it encourages insecure credential handling and can lead downstream users or platforms to transmit secrets in places that are more broadly observable than headers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal