Douyin Creator Marketplace (Xingtu) Author Commerce Seeding Base Info API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI API wrapper, with the main caution that its required API token is sent in the request URL query string.

Install only if you trust JustOneAPI with this token and the creator-marketplace data you query. Prefer a scoped or revocable token if available, avoid sharing command lines or logs that might include full request URLs, and rotate the token if you suspect exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill accepts an authentication token and places it into the URL query string before issuing the outbound request. Query parameters are commonly exposed in logs, browser history, proxies, monitoring systems, and upstream infrastructure, so a leaked token could allow unauthorized API access or account/data exposure. In this skill context, the risk is heightened because the token is a primary credential for a third-party API and the code provides no warning or safer alternative.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal