ClawHub

Douyin Creator Marketplace (Xingtu) Marketing Metrics API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent API wrapper for a single JustOneAPI Douyin marketing-metrics endpoint, but its token is sent in the URL query string and should be handled carefully.

Install only if you trust JustOneAPI and are comfortable with the token being sent in request URLs. Use a narrowly scoped or disposable token if available, avoid sharing full URLs, logs, screenshots, or error output from this runner, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill sends the authentication token as a query parameter, which places the secret in the full request URL. URLs are commonly captured in logs, proxies, browser history, monitoring systems, and error messages, so the token may be exposed beyond the intended recipient. In this skill context, the risk is real because the code is a generic API wrapper and gives no warning that callers are providing a credential in a leak-prone channel.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing an authentication token in the query string is dangerous because URLs are commonly logged by servers, proxies, analytics systems, browser history, and monitoring tools. That increases the chance of credential exposure and unauthorized reuse of the token, especially for an API handling creator marketplace data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The operation documentation exposes an authentication token as a query parameter and does so without any warning about secure handling. Query parameters are commonly logged by clients, proxies, servers, browser history, and observability tooling, which increases the chance of credential leakage; in an API skill context, this is more dangerous because integrators may directly copy the example usage into automation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal