ClawHub

Douyin Creator Marketplace (Xingtu) Creator Link Structure API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward JustOneAPI wrapper for one Douyin/Xingtu GET endpoint, with the main caution that its API token is sent in the request URL.

Install only if you trust JustOneAPI with this Douyin/Xingtu lookup and API token. Keep JUST_ONE_API_TOKEN private, avoid sharing command output or full request URLs, and rotate the token if it may appear in logs, shell history, screenshots, or monitoring tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API authentication token is defined and transmitted as a query parameter, which is commonly exposed in logs, browser history, proxies, monitoring tools, and intermediary infrastructure even when HTTPS is used. This unnecessarily increases the chance of credential leakage and unauthorized reuse of the token by anyone who gains access to request URLs or telemetry.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill makes an outbound request to a third-party endpoint using user-supplied sensitive values, including an authentication token, without any explicit disclosure, consent prompt, or warning about what data is being transmitted. In this context, the risk is heightened because the skill is specifically a thin wrapper around an external API, so the main behavior is forwarding user-provided data off-box to a remote service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation requires a `token` query parameter but provides no warning that it is a sensitive credential or guidance on secure handling. Putting authentication tokens in query strings is risky because they are commonly exposed in logs, browser history, analytics, caches, proxy records, and referrer headers, which can lead to credential leakage and unauthorized API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal