ClawHub

Douyin Creator Marketplace (Xingtu) KOL Content Keyword Analysis API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API helper for one JustOneAPI Douyin/Xingtu analytics endpoint, with the main caution that its token is sent in the request URL.

Install only if you trust JustOneAPI and need this endpoint. Use a scoped or low-risk token if possible, avoid sharing command lines or logs that may contain full request URLs, and rotate the token if you think a URL containing it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends the authentication token as a query parameter, which places the secret in the full request URL. URLs are commonly logged by client tooling, proxies, gateways, browser history, observability platforms, and upstream servers, so the token may be exposed even when HTTPS is used. In this API-wrapper context, the risk is elevated because the entire purpose of the skill is to forward authenticated requests to a third-party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Requiring the authentication token in the query string is a real security weakness because query parameters are commonly exposed in logs, browser history, proxy records, analytics systems, and error traces. Even when sent over HTTPS, URL-based credentials are more likely to be retained or leaked by surrounding infrastructure, increasing the chance of token compromise and unauthorized API access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal