ClawHub

Douyin Creator Marketplace (Xingtu) Creator Order Experience API

Security checks across malware telemetry and agentic risk

Overview

This is a focused JustOneAPI wrapper for one Douyin creator-marketplace read endpoint, with a real but disclosed token-handling caveat.

Install only if you trust JustOneAPI and need this endpoint. Use a scoped or revocable JUST_ONE_API_TOKEN, avoid sharing command output or network traces, and be aware that this helper sends the token in the URL query string.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill requires the authentication token as a query parameter and injects it into the request URL, which causes the secret to appear in logs, browser/history equivalents, proxy traces, monitoring systems, and error telemetry. Even though the request is sent over HTTPS, placing credentials in the URL materially increases accidental disclosure risk compared with using an Authorization header.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing an authentication token in a query parameter is risky because query strings are commonly logged by clients, proxies, servers, observability tools, and browser history, which can expose credentials beyond the intended recipient. In this skill, the parameter is required and there is no user-facing warning or safer alternative indicated, increasing the likelihood of inadvertent token leakage and subsequent unauthorized API access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs callers to provide a user authentication token but gives no warning about secure handling, storage, logging, or privacy implications. In API skills, this omission can lead integrators or downstream agents to pass tokens in unsafe ways, especially since the token is sent as a query parameter, which is commonly logged in URLs by clients, proxies, and servers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal