ClawHub

Douyin Creator Marketplace (Xingtu) Creator Profile API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI wrapper, with the main caveat that its API token is sent in the URL query string.

Install only if you trust JustOneAPI and are comfortable sending your API token to api.justoneapi.com. Treat JUST_ONE_API_TOKEN as a secret, avoid logging full request URLs, and handle returned creator audience and pricing data as potentially sensitive business information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends the authentication token as a URL query parameter, which is commonly exposed through logs, browser/history records, proxy infrastructure, monitoring systems, and error telemetry. Even though the request uses HTTPS, query-string secrets are still more broadly propagated than headers, making accidental credential disclosure more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API specification requires the authentication token to be sent in the URL query string, which is a true security weakness because query parameters are commonly logged by servers, proxies, browser history, monitoring tools, and intermediary infrastructure. Even over HTTPS, this design increases the chance of credential exposure and replay if logs or traces are accessed by unauthorized parties.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The documentation instructs users to supply a user authentication token in a query parameter but provides no warning about secure handling, logging exposure, or privacy implications. Query parameters are commonly captured in logs, browser history, proxies, and monitoring tools, so omitting guidance increases the risk of accidental credential disclosure.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal