ClawHub

Douyin Creator Marketplace (Xingtu) Conversion Analysis API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin/Xingtu analytics endpoint, with a real but disclosed token-handling hygiene risk.

Install only if you trust JustOneAPI and are comfortable sending JUST_ONE_API_TOKEN to api.justoneapi.com as a URL query parameter. Use a limited or rotatable token when possible, avoid sharing logs or URLs from failed requests, and rotate the token if you think a request URL was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the authentication token as a query parameter and automatically injects it into the request URL. Query-string secrets are commonly exposed through logs, browser/history tooling, intermediary proxies, monitoring systems, and error telemetry, making accidental credential disclosure more likely even when HTTPS is used. In this skill context, the risk is somewhat elevated because the code is a generic CLI wrapper that may be run in automated environments where full URLs are often logged.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing an authentication token in the query string is dangerous because query parameters are commonly logged by clients, intermediaries, reverse proxies, analytics systems, browser history, and monitoring tools. That increases the chance of credential exposure and unauthorized reuse of the token, especially since the manifest provides no warning or safer alternative handling guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal