ClawHub
Back to skill

Security audit

Douyin Creator Marketplace (Xingtu) Author Commerce Spread Info API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow read-only JustOneAPI wrapper, with a real but disclosed credential-handling caveat.

Install only if you are comfortable using a JustOneAPI token with this endpoint. Prefer a scoped or revocable token, avoid sharing command output or logs that might include backend errors, and rotate the token if you suspect the request URL or token was logged.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill accepts an authentication token as a query parameter and injects it into the request URL, which exposes the token in places URLs commonly end up: shell history, process listings, proxy logs, browser/debug tooling, server access logs, and error telemetry. Even though the request uses HTTPS, putting secrets in the URL materially increases accidental disclosure risk compared with using an Authorization header or request body.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest requires a user authentication token to be sent as a query parameter to an external API, but provides no user-facing warning, consent flow, or handling guidance for this sensitive credential. Query parameters are especially risky because they are commonly logged by clients, proxies, servers, and observability systems, increasing the likelihood of token leakage and unauthorized API access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation specifies an authentication token as a URL query parameter, which is unsafe because query strings are commonly logged by servers, proxies, analytics tools, browser history, and monitoring systems. In an API-integration skill context, this increases the chance that downstream users or agents will transmit bearer-style credentials in places where they can be inadvertently exposed or retained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal