Douyin Creator Marketplace (Xingtu) Video Details API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI helper for one Douyin Xingtu video-details endpoint; its main risk is that the required API token is sent in the URL query string.

Install only if you trust JustOneAPI with your API token and the Douyin video detail IDs you submit. Keep JUST_ONE_API_TOKEN in the agent environment rather than prompts, screenshots, or logs, and be aware that this API design sends the token in the URL where infrastructure logs may capture it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill defines the authentication token as a query parameter and appends it to the URL, which can expose the token through logs, browser/history artifacts, proxy caches, monitoring systems, and Referer propagation. In this skill context, the risk is more significant because the code is a generic API wrapper likely to be used in automation pipelines where full request URLs are commonly recorded.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal