ClawHub

Douyin Creator Marketplace (Xingtu) Recommended Videos API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow JustOneAPI wrapper for one Douyin/Xingtu endpoint, with a real but disclosed token-in-query handling risk.

Install only if you trust JustOneAPI and the publisher. Use a least-privilege token if available, avoid sharing command lines or logs that may contain the request URL, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill defines the authentication token as a query parameter and later appends all query parameters directly into the request URL. Query-string tokens are commonly exposed through logs, browser/history tooling, proxy logs, analytics systems, error messages, and upstream infrastructure, increasing the chance of credential leakage even when HTTPS is used. In this skill context, the danger is real because the script also accepts the token via CLI and may be run in automated environments where full URLs are routinely captured.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs callers to pass a user authentication token as a query parameter but provides no warning about sensitive credential handling. Query-string tokens are commonly exposed through logs, browser history, analytics, referrer headers, and intermediary infrastructure, increasing the chance of credential leakage and unauthorized API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal