Douyin Creator Marketplace (Xingtu) Follower Distribution API

Security checks across malware telemetry and agentic risk

Overview

This is a focused API wrapper for one JustOneAPI Douyin/Xingtu follower-distribution endpoint, with its token use disclosed and no hidden persistence or unrelated access found.

Install only if you trust JustOneAPI and are authorized to request Douyin/Xingtu audience analytics for the creator IDs you submit. Treat JUST_ONE_API_TOKEN as a secret, avoid logging full request URLs, and rotate the token if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill defines the authentication token as a query parameter and injects it into the request URL, which can expose the secret in logs, browser/history equivalents, proxies, monitoring systems, crash reports, and upstream server access logs. Even though the request uses HTTPS, query strings are commonly recorded more broadly than headers, so this handling increases the chance of credential leakage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal