ClawHub

Douyin (TikTok China) Share Link Resolution API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for resolving Douyin share links, with a real but disclosed credential-handling risk because the API token is sent in the URL query string.

Install only if you trust JustOneAPI with your API token and the Douyin share links you submit. Avoid sharing logs, screenshots, proxy traces, or error output that might contain full request URLs, and prefer a header-based token option if the provider supports one.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the API token as a query parameter and automatically appends it to the request URL. Query-string credentials are commonly exposed in logs, browser/history artifacts, intermediary proxies, monitoring tools, and error reports, which increases the chance of credential leakage even when HTTPS is used.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends both a user-supplied share URL and an API access token to an external service, but the manifest provides no explicit warning or consent-oriented disclosure. This is dangerous because users or integrators may unknowingly transmit sensitive or private data off-platform, increasing privacy, compliance, and data-handling risks.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for this API service.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
95% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal