Douyin Creator Marketplace (Xingtu) Follower Growth Trend API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for one Douyin/Xingtu follower-growth endpoint, with the main caution that its API token is placed in the request URL.

Install only if you are comfortable giving this skill a JustOneAPI token and making outbound HTTPS calls to api.justoneapi.com. Prefer a limited-scope token if available, do not paste real token values into chat or shared logs, and rotate the token if a full request URL or command history may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends the authentication token as a URL query parameter, which is commonly exposed in logs, browser/history artifacts, proxy telemetry, and monitoring systems even when HTTPS is used. In this wrapper, the token is injected into params and then appended to the URL by applyQueryParams, with no warning to the user or effort to place the credential in an Authorization header instead.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requires a user authentication token as a query parameter sent to an external service, but the manifest provides no warning about credential disclosure, storage, logging, or third-party transmission. Query parameters are especially sensitive because they are often captured in logs, analytics, browser history, and intermediary systems, increasing the chance of token leakage.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents an authentication token as a required query parameter without any warning about secure handling, storage, or exposure in logs, URLs, browser history, and intermediary systems. Passing secrets in query strings is inherently risky because URLs are commonly recorded by clients, proxies, and monitoring tools, which can lead to credential leakage and unauthorized API access.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal