ClawHub

Douyin Creator Marketplace (Xingtu) Audience Distribution API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin audience-distribution endpoint, with a real caution that its API token is sent in the request URL.

Install only if you trust JustOneAPI and are comfortable with JUST_ONE_API_TOKEN being sent as part of the request URL. Avoid sharing command output, request logs, screenshots, copied URLs, or proxy traces that may include the token, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill transmits the authentication token as a query string parameter (`token`), which is then embedded in the full request URL. Query parameters are commonly exposed in logs, browser/history tooling, proxies, monitoring systems, and error messages, making accidental credential disclosure more likely than if the token were sent in an authorization header.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing an authentication token in the query string is dangerous because query parameters are commonly logged by servers, proxies, analytics tools, browser history, and monitoring systems. This increases the risk of credential exposure and token reuse, especially since the manifest does not warn users or indicate safer handling semantics.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The documentation explicitly requires a user authentication token in a query parameter but provides no warning about sensitive credential handling. Query parameters are commonly logged by clients, proxies, servers, and analytics systems, so documenting token usage without caution increases the chance of accidental credential exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal