Douyin Creator Marketplace (Xingtu) Audience Touchpoint Distribution API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI wrapper that does what it claims, with a real but disclosed token-in-URL handling caveat.

Install only if you trust JustOneAPI and are comfortable sending a JustOneAPI token to its API as a URL query parameter. Use the environment variable, avoid pasting tokens into chat or logs, and prefer a scoped or short-lived token if available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly models the authentication token as a query parameter and injects it into the request URL. Query-string secrets are commonly exposed through logs, browser/history equivalents, monitoring systems, proxy caches, and error telemetry, making credential leakage more likely than if the token were sent in an Authorization header.

Vague Triggers

Low

Confidence: 90% confidence
Finding: The operation definition requires a raw authentication token as a generic query parameter but does not describe its scope, provenance, storage expectations, or whether it is user-specific versus service-level. Putting tokens in query strings increases the chance of accidental exposure through logs, proxies, browser history, telemetry, and shared debugging output, making this a real credential-handling weakness even in a simple interface manifest.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal