Douyin Creator Marketplace (Xingtu) Creator Profile API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper for one Douyin creator-profile lookup, with the main caution that its API token is sent in the request URL.

Install only if you are comfortable using a JustOneAPI token for this endpoint. Keep the token in JUST_ONE_API_TOKEN, avoid pasting it into chats or logs, prefer a scoped or revocable token, and rotate it if command lines, request URLs, proxy logs, or telemetry may have captured it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill defines the authentication token as a query parameter and injects it into the request URL, which causes the secret to be exposed in places URLs commonly appear: shell history, proxy and web server logs, monitoring tools, browser/debug tooling, and error telemetry. Even though the request is sent over HTTPS, putting credentials in the URL materially increases accidental disclosure risk compared with using an Authorization header or request body.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal