Douyin Creator Marketplace (Xingtu) Marketing Metrics API

Security checks across malware telemetry and agentic risk

Overview

This skill only calls one JustOneAPI marketing metrics endpoint, but users should handle the API token carefully because it is placed in the request URL.

Install only if you trust JustOneAPI with this token. Prefer a limited-scope or short-lived token if available, avoid running it in environments that log command lines or full request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill sends the authentication token as a query parameter, which places the secret in the full request URL. URLs are commonly logged by client tooling, proxies, gateways, browser history, and server access logs, so the token can be exposed outside the intended trust boundary even when HTTPS is used.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The operation requires a user authentication token in a query parameter, but the documentation provides no warning about sensitive handling or the risks of placing credentials in URLs. Query parameters are commonly logged by clients, proxies, browser history, analytics systems, and server access logs, which can lead to credential leakage and unauthorized API access if tokens are exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal